Twilio has denied being hacked after a threat actor claimed to be selling over 89 million Steam user records with one-time access codes.
The hacker, using the name Machine1337, posted the data for sale online for $5,000, saying it was pulled from Steam.
The leaked sample includes 3,000 records showing old SMS messages with Steam verification codes and user phone numbers. Some believe this could be a supply-chain attack involving a third-party service like Twilio, which provides SMS and 2FA services used by platforms like Steam.
A Steam-focused fraud watchdog group called SteamSentinels suggested the leak may have come from a compromised Twilio account or abused API keys, based on what they saw in the leaked data.
Twilio confirmed it’s investigating the claims but stated:
“There is no evidence to suggest that Twilio was breached… the data found online does not appear to have come from Twilio.”
The data may have come from a third-party SMS provider that works between Steam and Twilio, but this hasn’t been confirmed. Some of the leaked messages appear recent, dating back to March 2025.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
