Twilio has denied being hacked after a threat actor claimed to be selling over 89 million Steam user records with one-time access codes.
The hacker, using the name Machine1337, posted the data for sale online for $5,000, saying it was pulled from Steam.
The leaked sample includes 3,000 records showing old SMS messages with Steam verification codes and user phone numbers. Some believe this could be a supply-chain attack involving a third-party service like Twilio, which provides SMS and 2FA services used by platforms like Steam.
A Steam-focused fraud watchdog group called SteamSentinels suggested the leak may have come from a compromised Twilio account or abused API keys, based on what they saw in the leaked data.
Twilio confirmed it’s investigating the claims but stated:
“There is no evidence to suggest that Twilio was breached… the data found online does not appear to have come from Twilio.”
The data may have come from a third-party SMS provider that works between Steam and Twilio, but this hasn’t been confirmed. Some of the leaked messages appear recent, dating back to March 2025.
