Full Report
Twilio has denied in a statement for BleepingComputer that it was breached after a threat actor claimed to be holding over 89 million Steam user records with one-time access codes. [...]
Analysis Summary
# Incident Report: Alleged Leak of Steam 2FA Codes Potentially Linked to SMS Provider
## Executive Summary
A set of alleged Two-Factor Authentication (2FA) codes, primarily related to Steam accounts, were leaked online. Initial reports prompted investigation into the widely used API provider, Twilio, as they facilitate SMS communication for such services. While Twilio confirmed an investigation, they ultimately denied evidence of a breach on their systems, suggesting the compromised data likely originated from an intermediary SMS provider handling the transmission between Twilio and end-users.
## Incident Details
- Discovery Date: Unknown (Data found online)
- Incident Date: Data delivery dates cited as being from the beginning of March.
- Affected Organization: Twilio (Investigated); Steam (End-user impact suspected).
- Sector: Telecommunications/API Services, Gaming
- Geography: Not specified.
## Timeline of Events
### Initial Access
- Date/Time: Data leakage occurred around the beginning of March.
- Vector: Data compromise originating from an SMS provider that intermediates communications between Twilio/platform users (like Steam) and end-users.
- Details: 2FA codes and related account details were exposed.
### Lateral Movement
- Not explicitly detailed, as the core issue appears to be data collection/leakage from an intermediary communication channel rather than a direct network intrusion into Twilio's core systems.
### Data Exfiltration/Impact
- Alleged exposure of one-time access codes used for Steam authentication, potentially allowing unauthorized account access.
### Detection & Response
- **Detection:** The compromised data or claims surrounding it were discovered online (via BleepingComputer inquiry).
- **Response Actions:** Twilio acknowledged the situation, began an investigation, and subsequently issued a statement denying evidence of a breach on their own platform after sampling the leaked data.
## Attack Methodology
*Note: As Twilio denied a breach, the methodology focuses on the *suspected* vector leading to the data exposure, which is likely external to Twilio.*
- Initial Access: Compromise of an intermediary SMS service provider.
- Persistence: Not applicable to the provider investigation findings.
- Privilege Escalation: Not applicable.
- Defense Evasion: Not applicable.
- Credential Access: Data related to authentication codes (SMS/2FA) was compromised.
- Discovery: Not applicable.
- Lateral Movement: Not applicable.
- Collection: Harvesting of SMS message content, including 2FA codes.
- Exfiltration: Exposure of the collected SMS data online.
- Impact: Facilitation of unauthorized access to linked services (e.g., Steam accounts).
## Impact Assessment
- Financial: Not estimated.
- Data Breach: One-time access codes (2FA) for services like Steam were exposed. Volume is not specified.
- Operational: Potential unauthorized entry into user accounts dependent on the compromised SMS channel.
- Reputational: Initial reputational risk for Twilio due to association, mitigated by the subsequent denial of their own system compromise.
## Indicators of Compromise
*No specific threat actor IOCs were provided in the source text, as the investigation focused on the service provider.*
- [Network indicators - defanged]: N/A
- [File indicators]: N/A
- [Behavioral indicators]: Leakage of 2FA codes related to SMS communication delivery logs/content.
## Response Actions
- **Containment:** Twilio reviewed a sampling of the data found online.
- **Eradication:** No specific internal eradication steps documented as Twilio systems were determined not to be the source.
- **Recovery:** Users of affected services (like Steam) were advised to take preemptive security measures.
## Lessons Learned
- **Key Takeaways:** Failures in security supply chains (intermediary SMS providers) can expose sensitive authentication data even if the primary platform (Twilio) remains secure.
- **What could have been done better:** Greater visibility or security enforcement across third-party communication intermediaries for sensitive data like 2FA codes.
## Recommendations
- **Prevention measures for similar incidents:** Users of services relying on SMS 2FA are strongly recommended to switch to more robust authentication methods, such as enabling the Steam Guard Mobile Authenticator or using dedicated authenticator apps (TOTP).
- Platforms relying on SMS APIs should rigorously vet the security posture of all critical communication intermediaries.