A recent data breach could threaten your Steam account, but luckily, protecting yourself (and your games) is fairly easy.
An estimated 89 million Steam users' accounts were affected by a data breach on Saturday, affecting roughly two-thirds of all Steam accounts. While Steam itself wasn't breached directly, hackers gained access to some account details through a third-party Steam works with, although it's still unclear which one.
Here's what we know about the breach and what you should do to keep your Steam account safe.
See also: Best gaming laptop deals May 2025
Two-thirds of all Steam accounts at risk after third-party data breach
On Sunday, a user on X by the name of Mellow_Online1 reported a data breach that occurred the day before.
This particular X user is the Sentinels of the Store's community leader, a Steam group that aims "to protect consumers from malpractice and deceit." In this case, that means reporting a major data breach that could put millions of Steam users' accounts at risk.
The evidence so far indicates that this was not a breach of Steam itself, but one of its third-party partners. The leaked dataset, which was seen on a dark web forum for a selling price of $5,000, contains real-time SMS logs, specifically the two-factor authentication codes sent to Steam users' phones to confirm login attempts.
Currently, it doesn't look like actual passwords were compromised, although the one-time codes and their associated phone numbers could potentially put your Steam account at risk.
Update: An update suggests that the alleged Steam data breach is not a direct breach of Steam itself, but rather a supply chain compromise — meaning an external service that Steam relies on was targeted.Here's what we understand from this update:New evidence confirms some…May 11, 2025
As Mellow_Online1 pointed out in a follow-up post, the hacker who originally stole this data likely has some sort of back-end access to one of the third-party companies Steam uses for its 2FA services.
Mellow_Online1 originally reported that Twilio was the 2FA company that was breached, but Twilio has denied that, stating there's no evidence that the leaked data came from them. So, it's still unclear which one of Steam's third-party partners was the source of the leak, but luckily, there are a couple of easy steps you can take to protect your account.
How to protect your Steam account after the data breach
There's no way to know for sure if this data breach compromised your account, so it's a good idea to change your Steam password now.
We recommend using a password generator like LastPass to create a strong, unique password. Also, make sure you update your Steam password in your password manager (if you don't use one, now's a good time to start—I highly recommend BitWarden's password manager).
Additionally, keep a close eye on your Steam account, connected credit cards, and email account. The leaked data could be used to send phishing texts or emails, so be wary of any messages asking you to log in or for login info.
It's also a good idea to double-check that no unfamiliar devices are accessing your Steam account. You can do that by opening the Steam app and going to the "Security & Devices" tab in your account settings.
Here, you'll see all the devices currently logged in with your account, when they logged in, and where they are located. If there are any you don't recognize, select "Remove All Credentials" to log out on all devices and promptly change your Steam password.
