Twilio contested after the leak of alleged steam 2FA codes

Twilio denied in an explanation for bleeping computer that it was injured after a threat actor claimed to hold over 89 million steam user records with one-time access codes.

The threat player, who is also known to the alias Machine1337 (also known as an energy -wovonsuser), applied a lot of data that were allegedly pulled out of steam and offered to sell it for 5,000 US dollars.

When examining the leaked files that contained 3,000 data records, Bleeping computer found historical SMS text messages with unique passcodes for Steam, including the recipient's telephone number.

Steam belongs to Valve Corporation and is the world's largest digital sales platform for PC games with over 120 million active users.

Valve did not answer our inquiries about a comment on the requirements of the threat.

The independent game journalist Mellolwonline1, who is also the Creator of the SteamStinels Community Group, monitors abuse and fraud in the Steam ecosystem, suggests that the incident is a supply chain compromise with Twilio.

Mellowonline1 pointed out technical evidence in the leaked data that indicate that real-time SMS protocol entries from Twilios specify backend systems and a compromised administrator account or abuse of API key.

Twilio is a cloud communication company that offers APIs for sending SMS, voice calls and 2FA messages that are often used by apps such as Steam for user authentication.

When asked by bleeping computer after their possible participation in the alleged steam injury, a Twilio spokesman granted the situation and confirmed that they were investigating.

Twilio takes these threats very seriously and checks the alleged incident. We will provide further information as soon as it is available, ”a company spokesman told Bleeping Computer.

Twilio later followed with a statement that realized that the company's systems had not been injured.

If you look at the data, a possible explanation for its origin is a leak of an SMS provider that violates the communication of one-time access codes between Twilio and steam users.

Some of the messages delivered are clearly confirmation codes for access to a Steam account or for working with a telephone number with one.

However, Bleeping computer could not determine whether the data comes from an SMS provider or who could be. In addition, we could not check the actor's requirements.

It is worth noting that some of the data are relatively new because we have found that many of the delivery dates were from the beginning of March.

Twilio offers a 2FA product (two-factor authentication) with the name Verify API, with the customer, including game providers, with various communication channels (SMS, Whatsapp, Voice, Voice, email, passkeys, approval for silent devices, push or time-based one-time password).

From caution, steam users are recommended to enable Steam Guard Mobile Authenticator for additional security and account activities for non-authorized signing attempts.