Twilio insists it did not suffer a breach
Twilio has denied in a statement to BleepingComputer that it suffered a breach, following claims from a threat actor who said they are holding over 89 million Steam user records containing one-time access codes.
The threat actor, using the alias Machine1337 (also known as EnergyWeaponsUser), advertised a trove of data allegedly pulled from Steam and offered it for sale at $5,000.
Upon examining the leaked files—which contained 3,000 records—BleepingComputer discovered historic SMS text messages with one-time passcodes for Steam, including recipients’ phone numbers.
Threat actor’s post on XSS
Source: BleepingComputer
Steam and Valve
Owned by Valve Corporation, Steam stands as the world’s largest digital distribution platform for PC games, boasting over 120 million monthly active users.
Valve, however, did not respond to our requests for comment on the threat actor’s claims.
Meanwhile, independent games journalist MellowOnline1—who also created the SteamSentinels community group that monitors abuse and fraud within the Steam ecosystem—suggests the incident involves a supply-chain compromise linked to Twilio.
MellowOnline1 referenced technical evidence in the leaked data, which shows real-time SMS log entries from Twilio’s backend systems, and proposed either a compromised admin account or misuse of API keys.
Source: BleepingComputer
Twilio
Twilio, a cloud communications company, offers APIs for sending SMS, voice calls, and 2FA messages, widely adopted by applications like Steam for user authentication.
When BleepingComputer asked Twilio about their possible involvement in the alleged Steam breach, a spokesperson acknowledged the situation and confirmed that the company is investigating.
“Twilio takes these threats very seriously and is reviewing the alleged incident. We will provide more information as it becomes available,” a company spokesperson told BleepingComputer.
Later, Twilio followed up with a statement clarifying that the company’s systems remained secure.
“There is no evidence to suggest that Twilio was breached. We have reviewed a sampling of the data found online and see no indication that this data was obtained from Twilio,” the spokesperson added.
Based on the data, one possible explanation for its origin is a leak from an SMS provider that intermediates the delivery of one-time access codes between Twilio and Steam users.
Notably, some of the leaked messages clearly contain confirmation codes used to access a Steam account or to associate a phone number with one.
However, BleepingComputer could not determine whether the data originated from an SMS provider or identify the provider in question. Moreover, we could not verify the threat actor’s claims.
Importantly, some of the data appears to be relatively recent, with many delivery dates traced back to early March.
Twilio offers a two-factor authentication (2FA) product called Verify API, which customers—including game providers—can use across various communication channels such as SMS, WhatsApp, voice, email, passkeys, silent device approval, push, or time-based one-time passwords.
Out of an abundance of caution, Steam users should enable Steam Guard Mobile Authenticator for extra security and regularly monitor their account activity for any unauthorized login attempts.
Source: BleepingComputer, Bill Toulas
Read more at Impreza News