Hacker advertises alleged database of 89 million Steam 2FA codes

Submitted ⁨⁨4⁩ ⁨hours⁩ ago⁩ by ⁨simple@lemm.ee⁩ to ⁨games@lemmy.world⁩

https://www.techradar.com/pro/security/hacker-advertises-alleged-database-of-89-million-steam-2fa-codes-source-of-leak-unknown

Steam 2FA codes allegedly got leaked. If you use 2FA with your phone number, turn it off NOW and secure your account.

source

Comments

Sort:hotnew top

sudneo@lemm.ee ⁨3⁩ ⁨hours⁩ ago
Already debunked

bsky.app/profile/…/3lp572utm5c2c

source
- Asafum@feddit.nl ⁨3⁩ ⁨hours⁩ ago
  Thank you for sharing this!
  
  source
- simple@lemm.ee ⁨3⁩ ⁨hours⁩ ago
  Thanks for the update. False alarm.
  
  source
specialseaweed@sh.itjust.works ⁨43⁩ ⁨minutes⁩ ago
Aside from this being false, it’s kinda crazy that Steam has had no significant public leaks.

source
slazer2au@lemmy.world ⁨4⁩ ⁨hours⁩ ago

“historic SMS text message with one-time passcodes for Steam, including the recipient’s phone number”.

Oh, so they are selling phone numbers.

The 2fa codes are useless after 1 min.

source
- givesomefucks@lemmy.world ⁨3⁩ ⁨hours⁩ ago
  Yeah. I think someone used the term “historic” appropriately, that it’s old
  
  And people are assuming it was used as an exaggeration like “this is a big deal”.
  
  source
baronvonj@lemmy.world ⁨4⁩ ⁨hours⁩ ago

Steam is warning users to enable Steam Guard Mobile Authenticator and keep an eye on account activity.

Fuck off and let me use my own TOTP app already.

source
- Pika@sh.itjust.works ⁨3⁩ ⁨hours⁩ ago
  Steam is one of the few apps that I’m fully okay with having on my phone and using for 2fa. I especially like that when I go to login it’s like Discord where I can scan a QR code to confirm from the App instead of having to type in a number that expires. Like it would be nice to have the other functionality as well but I’m content with their current system
  
  source
  - baronvonj@lemmy.world ⁨3⁩ ⁨hours⁩ ago
    I don’t mind that they have 2FA features in their app. I mind that using SMS for this has been known to be bad practice for years and they’ve tried to leverage that insecurity to push users to the Steam app. It’s reckless and this current data breach is only possible because of it.
    
    source
- EarMaster@lemmy.world ⁨2⁩ ⁨hours⁩ ago
  Although it is not officially supported you can do this: github.com/keepassxreboot/keepassxc/…/9591
  
  I did it years ago (I would say 10+ years) and it works perfectly fine.
  
  source
tisktisk@piefed.social ⁨1⁩ ⁨hour⁩ ago
So I know it's confirmed false, but I wanted to take the opportunity to ask how you good folks stay in the know about critical/time sensitive compromises like this was believed to be?

source
yesman@lemmy.world ⁨3⁩ ⁨hours⁩ ago
Image

source
PassingThrough@lemm.ee ⁨4⁩ ⁨hours⁩ ago
So what are the details of the risk here? Can texted 2FA use old codes to math out new ones? Is it just that they know which phone number goes to an account they can do another kind of attack on to get new codes?

From what I read these are old texted one time codes. Good one time, generally only for a few minutes. Useless now.

Or is this bad only because there’s a breach somewhere, they don’t know where, and who knows what else they have?

source
Pika@sh.itjust.works ⁨3⁩ ⁨hours⁩ ago
Okay so where’s the value here? Like I’m sure the phone numbers are worthwhile but including the 2fa codes with the phone number doesn’t seem like worthfull information, unless steam doesn’t properly have OTP setup and they don’t expire in a timely manner, but I’m willing to bet that a company like steam has a properly configured system

source
Lojcs@lemm.ee ⁨3⁩ ⁨hours⁩ ago
In case any time travelers want to make some slow cash?

source
kaeurennetwo@lemmy.world ⁨4⁩ ⁨hours⁩ ago
Really?

source