- EnergyWeaponUser advertised a new archive on the dark web
- They claim it holds phone numbers and OTP codes for Steam
- Some researchers claim the archive came from Twilio, but the company denied having been breached
EnergyWeaponUser, a known cybercriminal and leaker, is selling a new database which, they claim, holds more than 89 million Steam user records, phone numbers, and one-time access codes.
Steam is a digital games distribution platform developed by Valve. It has more than 130 million monthly active users, which use the platform to buy, download, and play computer games.
Recently, a new thread in an underground forum appeared where the hacker offered the database for $5,000. BleepingComputer was among those who analyzed the records, and claims it holds “historic SMS text message with one-time passcodes for Steam, including the recipient’s phone number”.
Was it Twilio?
However, it is unclear where EnergyWeaponUser picked the archives up. Valve is being silent for the moment. An independent games journalist MellowOnline1 believes the theft is the result of a supply chain attack, with Twilio being the most likely victim.
Twilio is a cloud communications platform that allows devs to integrate different messaging, voice, and video features. Among other things, it provides SMS and MMS messaging, which many companies use for one-time passcodes and 2FA.
However, the company told BleepingComputer that it investigated the claims and found no evidence of compromise.
“There is no evidence to suggest that Twilio was breached,” a spokesperson for the company told the publication. “We have reviewed a sampling of the data found online, and see no indication that this data was obtained from Twilio.”
Another possible explanation is that an intermediary SMS provider could have been breached. At press time, the actual victim was not yet confirmed. EnergyWeaponUser’s claims could not be verified at this time. However, the leaker is rather infamous, as they were previously linked with Cisco, Ford, and HPE breaches.
Steam is warning users to enable Steam Guard Mobile Authenticator and keep an eye on account activity.
Via BleepingComputer
Leave a comment