Fixxx
Moder
- Joined
- 20.08.24
- Messages
- 661
- Reaction score
- 2,205
- Points
- 93
Twilio has denied in a statement that it was breached after a threat actor claimed to be holding over 89 million Steam user records with one-time access codes. The threat actor, using the alias Machine1337 (also known as EnergyWeaponsUser), advertised a trove of data allegedly pulled from Steam, offering to sell it for $5,000. An examination of the leaked files, containing 3,000 records, revealed historical SMS text messages containing one-time Steam access codes, including the recipient's phone number.
Owned by Valve Corporation, Steam is the world's largest digital distribution platform for PC games, with over 120 million monthly active users. Valve did not respond to our requests for a comment on the threat actor's claims. Independent games journalist MellolwOnline1, who is also the creator of the SteamSentinels community group that monitors abuse and fraud in the Steam ecosystem, suggests that the incident is a supply-chain compromise involving Twilio. MellowOnline1 pointed to technical evidence in the leaked data that indicates real-time SMS log entries from Twilio's backend systems, hypothesizing a compromised admin account or abuse of API keys.
Twilio is a cloud communications company that provides APIs for sending SMS, voice calls, and 2FA messages, widely used by apps like Steam for user authentication. Twilio takes these threats very seriously and is reviewing the alleged incident. "We will provide more information as it becomes available," a company representative said. Twilio later followed up with a statement clarifying that the company's systems had not been breached.
Looking at the data, one possible explanation for its origin is a leak from an SMS provider that intermediates the communication of one-time access codes between Twilio and Steam users. Some of the messages delivered are clearly confirmation codes for accessing a Steam account or for associating a phone number with one. However, it could not be determined whether the data originated from the SMS provider and who it might be It is worth mentioning that some of the data is relatively new, as we found many of the delivery dates were from the beginning of March. Twilio provides a two-factor authentication (2FA) product called Verify API that customers, game providers among them, can implement with various communication channels (SMS, WhatsApp, voice, email, passkeys, silent device approval, push, or time-based one-time passwords). Out of abundance of caution, Steam users are recommended to enable Steam Guard Mobile Authenticator for additional security and monitor account activity for unauthorized login attempts.
.jpg)
*threat actor's post on XSS.
Owned by Valve Corporation, Steam is the world's largest digital distribution platform for PC games, with over 120 million monthly active users. Valve did not respond to our requests for a comment on the threat actor's claims. Independent games journalist MellolwOnline1, who is also the creator of the SteamSentinels community group that monitors abuse and fraud in the Steam ecosystem, suggests that the incident is a supply-chain compromise involving Twilio. MellowOnline1 pointed to technical evidence in the leaked data that indicates real-time SMS log entries from Twilio's backend systems, hypothesizing a compromised admin account or abuse of API keys.
*x.com.
Twilio is a cloud communications company that provides APIs for sending SMS, voice calls, and 2FA messages, widely used by apps like Steam for user authentication. Twilio takes these threats very seriously and is reviewing the alleged incident. "We will provide more information as it becomes available," a company representative said. Twilio later followed up with a statement clarifying that the company's systems had not been breached.
"There is no evidence to suggest that Twilio was breached. We have reviewed a sampling of the data found online, and see no indication that this data was obtained from Twilio." - Twilio spokesperson.
Looking at the data, one possible explanation for its origin is a leak from an SMS provider that intermediates the communication of one-time access codes between Twilio and Steam users. Some of the messages delivered are clearly confirmation codes for accessing a Steam account or for associating a phone number with one. However, it could not be determined whether the data originated from the SMS provider and who it might be It is worth mentioning that some of the data is relatively new, as we found many of the delivery dates were from the beginning of March. Twilio provides a two-factor authentication (2FA) product called Verify API that customers, game providers among them, can implement with various communication channels (SMS, WhatsApp, voice, email, passkeys, silent device approval, push, or time-based one-time passwords). Out of abundance of caution, Steam users are recommended to enable Steam Guard Mobile Authenticator for additional security and monitor account activity for unauthorized login attempts.