Twilio denies breach following leak of alleged Steam 2FA codes

pMicrosoft June 2025 Patch Tuesday fixes exploited zeroday 66 flawsppFIN6 hackers pose as job seekers to backdoor recruiters devicesppTexas Dept of Transportation breached 300k crash records stolenppNew Secure Boot flaw lets attackers install bootkit malware patch nowppBlock ads forever with this 16 AdGuard Family dealppDanaBot malware operators exposed via C2 bug added in 2022ppConnectWise rotating code signing certificates over security concernsppNew Secure Boot flaw lets attackers install bootkit malware patch nowppHow to access the Dark Web using the Tor BrowserppHow to enable Kernelmode Hardwareenforced Stack Protection in Windows 11ppHow to use the Windows Registry EditorppHow to backup and restore the Windows RegistryppHow to start Windows in Safe ModeppHow to remove a Trojan Virus Worm or other MalwareppHow to show hidden files in Windows 7ppHow to see hidden files in WindowsppRemove the Theonlinesearchcom Search RedirectppRemove the Smartwebfindercom Search RedirectppHow to remove the PBlock adware browser extensionppRemove the Toksearchesxyz Search RedirectppRemove Security Tool and SecurityTool Uninstall GuideppHow to Remove WinFixer Virtumonde Msevents TrojanvundoppHow to remove Antivirus 2009 Uninstall InstructionsppHow to remove Google Redirects or the TDSS TDL3 or Alureon rootkit using TDSSKillerppLocky Ransomware Information Help Guide and FAQppCryptoLocker Ransomware Information Guide and FAQppCryptorBit and HowDecrypt Information Guide and FAQppCryptoDefense and HowDecrypt Ransomware Information Guide and FAQppQualys BrowserCheckppSTOPDecrypterppAuroraDecrypterppFilesLockerDecrypterppAdwCleanerppComboFixppRKillppJunkware Removal ToolppeLearningppIT Certification CoursesppGear GadgetsppSecurityppBest VPNsppHow to change IP addressppAccess the dark web safelyppBest VPN for YouTubeppppTwilio has denied in a statement for BleepingComputer that it was breached after a threat actor claimed to be holding over 89 million Steam user records with onetime access codesppThe threat actor using the alias Machine1337 also known as EnergyWeaponsUser advertised a trove of data allegedly pulled from Steam offering to sell it for 5000ppWhen examining the leaked files which contained 3000 records BleepingComputer found historic SMS text messages with onetime passcodes for Steam including the recipients phone numberppOwned by Valve Corporation Steam is the worlds largest digital distribution platform for PC games with over 120 million monthly active usersppValve did not respond to our requests for a comment on the threat actors claimsppIndependent games journalist MellolwOnline1 who is also the creator of the SteamSentinels community group that monitors abuse and fraud in the Steam ecosystem suggests that the incident is a supplychain compromise involving TwilioppMellowOnline1 pointed to technical evidence in the leaked data that indicates realtime SMS log entries from Twilios backend systems hypothesizing a compromised admin account or abuse of API keysppppTwilio is a cloud communications company that provides APIs for sending SMS voice calls and 2FA messages widely used by apps like Steam for user authenticationppWhen asked by BleepingComputer about their possible involvement in the alleged Steam breach a Twilio spokesperson acknowledged the situation and confirmed theyre investigatingppTwilio takes these threats very seriously and is reviewing the alleged incident We will provide more information as it becomes available a company spokesperson told BleepingComputerppTwilio later followed up with a statement clarifying that the companys systems had not been breachedppThere is no evidence to suggest that Twilio was breached We have reviewed a sampling of the data found online and see no indication that this data was obtained from Twilio Twilio spokespersonppLooking at the data one possible explanation for its origin is a leak from an SMS provider that intermediates the communication of onetime access codes between Twilio and Steam usersppSome of the messages delivered are clearly confirmation codes for accessing a Steam account or for associating a phone number with oneppHowever BleepingComputer could not determine if the data comes from an SMS provider or who it might be Additionally we could not verify the threat actors claimsppIt is worth mentioning that some of the data is relatively new as we found many of the delivery dates were from the beginning of MarchppTwilio provides a twofactor authentication 2FA product called Verify API that customers game providers among them can implement with various communication channels SMS WhatsApp voice email passkeys silent device approval push or timebased onetime passwordsppOut of abundance of caution Steam users are recommended to enable Steam Guard Mobile Authenticator for additional security and monitor account activity for unauthorized login attemptsppUpdate 515 Steam has issued a statement in regards to the alleged breach denying their systems were compromised ppThe gaming platform clarified that the leaked set appears to contain SMS with onetime codes that are valid for 15 minutes and hence are no longer exploitableppSteam assured users their accounts are safe stating they need to take no action in response to the incidentppPatching used to mean complex scripts long hours and endless fire drills Not anymoreppIn this new guide Tines breaks down how modern IT orgs are leveling up with automation Patch faster reduce overhead and focus on strategic work no complex scripts requiredppSupply chain attack hits npm package with 45000 weekly downloadsppMagento supply chain attack compromises hundreds of estoresppPyPI packages caught stealing credit card numbers Discord tokensppAIhallucinated code dependencies become new supply chain riskppSentinelOne shares new details on Chinalinked breach attemptppWhy are people storing their 2FA in Twilio when Steam Guard existsppIn order to register for Steam Guard you need to provide a phone number This phone number is used for account recovery which can bypass Steam Guard
However I cannot find evidence this data breach contains real data and SMS verification is timelimited anyway so from my understanding the only useful resource could be phone numbers Even then I believe this data breach was fake
Also Twilio appears to be completely unrelated according to this post following an alleged response from a Valve representativehttpsxcomMellowOnline1status1922458687316074640ppsteam doesnt use SMS codesppNot a member yet Register NowppGrocery wholesale giant United Natural Foods hit by cyberattackppMicrosoft June 2025 Patch Tuesday fixes exploited zeroday 66 flawsppSentinelOne shares new details on Chinalinked breach attemptppLearn to build a strong Windows serviceprotect your systems from malware Start nowppElevate your cyber defense Learn to design powerful Blue Team playbooks with WazuhppLearn about Scattered Spiders evolving TTPs and how to defend your organizationppAI is a databreach time bomb Read the new reportppOverdue a password healthcheck Audit your Active Directory for freeppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2025 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp