synthBirba
Linux Is Best⚠️ Change your Steam Password ⚠️
89,000,000 usernames, passwords, and 2-step verification codes have been leaked.
After changing your password, you may wish to reset your 2-step code too.
If you do not use a password manager, now is a good time to consider using one. Here are two (2) that are outside Us Jurisdiction.
Heylogin, located in Germany, Europe https://www.heylogin.com
Note: This password manager is tied to your hardware.
pCloud, located in Switzerland / Bulgaria, Europe https://www.pcloud.com/pass.html
Note: Use a VPN when first signing up to ensure your data is saved on their Europe Servers. You can see a copy of the documentation here: https://docs.pcloud.com
Soblow Xaselgio 
@Linux Local password managers also works if you synchronize it using Nextcloud or something like this
tusooa 
西风 
@Linux i would instead recommend a password manager that stores data only on your device, like keepassxc. it's much better than one that syncs your passwords to "the cloud."
I believe in keeping it easy and simple.
A person is smart, but people are dumb and do dumb things. That includes losing or breaking their devices, not making regular backups, and needing to sync over multiple devices.
There is wisdom to what you say, but the cloud is easier and safe for most people.
fuegon@Linux for offline password managers KeePass and its variants are great.
Karl Voit 
anokasion@Linux @gamingonlinux any new information if this is true?
LawChan@LawChan @anokasion@hidamari.apartments @gamingonlinux
Sorry, I don't see anything.
Thibaultmol 🌈If anything was leaked -- anything -- I would advise people to still change everything. If you want to take the risk, that's your call, but I see no harm in being cautious and changing everything as a precaution.
Even if this were someone's idea of a joke and turned out to be a false flag, I would still suggest people review their security.
martenson@Linux that's some weak defense of spreading AI hallucinations @thibaultmol
nicholai@Linux additional reporting by Gaming on Linux:
https://mastodon.social/@gamingonlinux/114506134518536243
https://mastodon.social/@gamingonlinux/114506134518536243
If anything was leaked -- anything -- I would advise people to still change everything. If you want to take the risk, that's your call, but I see no harm in being cautious and changing everything as a precaution.
Even if this were someone's idea of a joke and turned out to be a false flag, I would still suggest people review their security.
Fionor
Poppe 
@Linux The article claims only phone numbers and 2FA codes got leaked. If you didn't have 2FA connected to your SMS you might be fine. Your actual account password isn't affected.
If anything was leaked -- anything -- I would advise people to still change everything. If you want to take the risk, that's your call, but I see no harm in being cautious and changing everything as a precaution.
Even if this were someone's idea of a joke and turned out to be a false flag, I would still suggest people review their security.
Luna Sylveon@Linux good thing i'm not affected, as i don't use 2fa on steam :3
『 Green Mean Eating Machine 』@Linux >selling it for just 5k
I'm calling bs
Still, can't hurt to rotate your passwords every once in a while
I'm calling bs
Still, can't hurt to rotate your passwords every once in a while
It may be total BS, but I would still side with caution. There is no harm in being cautious and changing your password.
seyon@Linux @fristi https://www.varonis.com/blog/data-breach-response-times and let's not forget that companies do take their time on announcing breaches...
I've posted a notice like this, and people came for me just for this still not being confirmed... As if it's a bad thing to be cautious about our own security.
Kura ist Fern schauen 
@Linux @fristi@56k.dile-up.nl my passwords are vertical right now.
Gulf of Koi@kura @Linux @fristi@56k.dile-up.nl this is verifiably wrong, there was no leak, none of them did any digging to see it was AI making up crap
Called nothing -- It was confirmed by Steam. https://steamcommunity.com/games/593110/announcements/detail/533224478739530146
[Sylvie]$ 
@Linux @fristi @koimoa @kura Steam did not confirm 89 million usernames and passwords were compromised is the nuance and whoever started this claim chain was rightfully called out by fristi as BS unless substantiated by news outlets that actually bother to do data breach validation
“The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data.”
“The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data.”
@lancercryptid @koimoa @fristi @kura
And I would STILL say, change your password. -- WHY?
If you obtain enough expired codecs, you can estipulate (learn the algorithm) and create valid ones. - It is why you're always told by everyone, do not share your codes (including your old ones).
dazed and bedpilled@Linux the article makes no mention of usernames or passwords being leaked. and while a leak of phone numbers is obviously a problem, historical sms 2fa codes are, well, historical and aren't an active risk to account security
steam's authentication process never even sends a plaintext password to the backend if i remember right, so they definitely know how to do account security and not to store plaintext passwords
no need for unnecessary fear mongering
steam's authentication process never even sends a plaintext password to the backend if i remember right, so they definitely know how to do account security and not to store plaintext passwords
no need for unnecessary fear mongering
loud scalie gay 
@gothdactyl @Linux yeah, they absolutely could but as long as there's no evidence of that i don't think it's fair to claim that "89 million usernames and passwords have leaked"
Fazal Majid
Lazuli'Lmao - If that is true, you should rethink your security.
cthos 🐱
muxelplexer@Linux tbf - this is not as big of a panic moment as it may seem. This is only historic OTP data. Steam Guard seems to be as funxtional as when Gaben fave out his password/mail combo couple years ago to prove the point of otp codes.
Id expect more targetted phishing with the phone numbers though
Id expect more targetted phishing with the phone numbers though
Bizcochito 
@Linux how are you supposed to change the steam guard? 🥴
That is easy -- Disable it and re-enable it. You'll have the option to generate new recovery codes.
Arataka
SgtRenny
scrottie (he/him/they)
Trinsec@Linux Looks like that's already been debunked: https://bsky.app/profile/tannerofthenorth.bsky.social/post/3lp572utm5c2c
Neco-Tan (@tannerofthenorth.bsky.social)
It's been debunked, valve confirmed they don't even use the company that is said to be hacked (a SMS 2FA company) and the source of it all is an AI company's LinkedIn post that itself looks AI made itself I mean, $5000 for 89 MILLION steam accounts? Come on. Just have Steam Guard and you're good. [contains quote post or other embedded content]
Dan GoodinDan Goodin (@dangoodin@infosec.exchange)
Folks, there is 0 evidence that Steam passwords have been breached. Unless and until credible evidence occurs, please do NOT urge people to change their login credentials and please do NOT boost other people's toots doing the same. Creating unjustified anxiety about a non event does a disservice to us all. Please boost for visibility.
Eemon
Nazo@Linux Looks like it's probably just 2FA info -- specifically SMS 2FA numbers -- that got leaked probably. If anyone is using SMS 2FA, they definitely should do something about it.
I won't disagree that changing passwords just to be on the safe side is a good idea though. I disagree with those who so adamantly insist that even though there is evidence of a breach of some kind we should just ignore it just because it's not immediately showing signs of including passwords.
Kanon@Linux It seems there is an update.
https://www.bleepingcomputer.com/news/security/twilio-denies-breach-following-leak-of-alleged-steam-2fa-codes/
https://www.bleepingcomputer.com/news/security/twilio-denies-breach-following-leak-of-alleged-steam-2fa-codes/
Ikani@Linux So the great thing about Fedi is that you can edit your posts as new information comes in. No need to write a separate update post, and it spreads just as well as the original. Updating the post to remove factually incorrect information also helps to boost the credibility behind the message that changing passwords is still a good practice.
Anyway, that's a long-winded way of saying I think you should update the post, but fully support pushing people to update passwords. ^^
Anyway, that's a long-winded way of saying I think you should update the post, but fully support pushing people to update passwords. ^^
It is not incorrect -- It was confirmed by Steam.
https://steamcommunity.com/games/593110/announcements/detail/533224478739530146
@Linux That link specifically says it was old OTP messages (which are expired) and there's no link to account names, and no passwords. Your post, as of my checking it just now, still says 89 million usernames, passwords, and 2-step verification codes. So, yes, it is incorrect. I'm not sure why you're doubling down on this, but best of luck I guess =/
Significant OtterThanks for the heads up!
Changing my password was made extremely difficult by the way. I use steamguard-cli and ente Auth for 2FA but steam insisted on sending me a code to the app. I had to jump through many hoops to end up at email verification again.
The 2FA had to be fully removed before I could change my pw 😅
Sponge Of Truth@Linux@mastodon.au It would be nice if you edited this with the updated information from Steam explaining that it's old 2FA text messages and that's it.
I would STILL recommend everyone change their passwords and reset their 2-step codes. -- Why?
If you obtain enough expired codecs, you can estipulate (learn the algorithm) and create valid ones.
That said, thanks for providing a creditable source, confirming the leak.