Up to 89 million usernames, passwords, and email addresses associated to those accounts have been leaked online via the black market. What started as a potential leak from the online gaming service, Steam, has led down the rabbit hole to find the breached service. Whether the threat ends up being legit, now would be a good time to update those passwords.

What started this morning by a post from X user MellowOnline1 stating that a post surfaced on LinkedIn from a user called Underdark AI detailing that a user on a black market by the alias of Machine1337 (also known as EnergyWeaponsUser), had obtained some 89 million Steam accounts and posted a sale price, listed for $5,000.

What at first seemed like a Steam breach, MellowOnline1 and others started to point the finger at a third party service called Twilio, a 3rd party service for SMS messaging, usually for providing 2FA , for the breach. Steam has denied that they have used Twilio for such services.

Bleeping Computer, an online technology site reached out to Twilio for comment about the breach. Later today, Twilio has responded:

“There is no evidence to suggest that Twilio was breached. We have reviewed a sampling of the data found online, and see no indication that this data was obtained from Twilio.”

At this time there is no official confirmed breaches by either services. However out of abundance of caution, one should:

• Change their Steam password
• Enable Steam Guard Mobile Authenticator
• Check https://haveibeenpwned.com/ to see if your account is compromised