Twilio Denies Data Breach Amid Allegations of 89 Million Steam User Records

San Francisco, CA – Twilio, a cloud communications platform, has denied claims that it was breached after a threat actor, known as Machine1337, asserted possession of over 89 million Steam user records. The hacker is reportedly offering these records, which include one-time access codes and phone numbers, for sale on the dark web for $5,000.

BleepingComputer, a technology news outlet, analyzed a portion of the leaked data and discovered 3,000 records containing SMS text messages linked to Steam’s authentication. However, Valve Corporation, the owner of Steam, has not yet responded to requests for comments regarding the situation.

MellowOnline1, an independent games journalist, pointed out that the leak may be related to Twilio due to evidence in the data that suggests real-time SMS logs came from Twilio’s backend systems. They theorized the leak could stem from a compromised admin account or misuse of API keys.

In response to inquiries, a Twilio spokesperson confirmed they are investigating the situation and stated, “We take these threats very seriously and are reviewing the alleged incident.” Nonetheless, they later clarified that their systems had not been breached, saying, “There is no evidence to suggest that Twilio was breached. We have reviewed a sampling of the data found online and see no indication that this data was obtained from Twilio.”

BleepingComputer noted that while the threat actor claims the data originated from Twilio, there is no conclusive evidence supporting this. It is also hypothesized that the data may have come from an SMS provider that forwards one-time access codes from Twilio to Steam users.

Attackers selling the data could put Steam users at risk, leading to potential phishing attempts or unauthorized access to accounts. Users are advised to enable Steam Guard, Steam’s two-factor authentication system, and monitor their accounts for any suspicious activity.

As of now, no official confirmation regarding the breach of Steam has been released. Both Twilio and Valve have maintained their systems were not compromised. It remains uncertain how the data leak occurred, and until more information emerges, users should practice heightened security measures.