Twilio Denies Breach Despite Leak of 89 Million Steam 2FA Codes

Twilio has denied claims of a security breach after a threat actor allegedly leaked 89 million Steam user records containing one-time access codes. The company stated that no system intrusion occurred, suggesting compromised credentials or API keys as the likely cause¹. This incident highlights the risks of SMS-based two-factor authentication (2FA) and supply chain vulnerabilities in third-party services.

Incident Overview

The leaked data reportedly includes real-time SMS logs with 2FA codes, timestamps, recipient phone numbers, and routing costs¹. While Twilio maintains its systems weren’t breached, security researchers note this could enable attackers to bypass Steam’s 2FA protections through phishing or session hijacking. The situation is particularly concerning given Twilio’s role as a critical infrastructure provider for authentication systems.

This follows a pattern of security issues for Twilio, including an April 2025 leak of 848,000 SendGrid customer records and a 2024 incident where 33 million Authy phone numbers were exposed². The company’s repeated security challenges have raised questions about its API and account safeguards.

Technical Analysis

Analysis suggests attackers likely gained access through compromised user accounts or API keys rather than a direct system breach³. Threat actors have been observed selling Twilio API keys for $500-$2,000 on dark web forums, with some listings including working code examples for accessing SMS logs:

from twilio.rest import Client
client = Client("ACxxxxxxxxxxxxxx", "auth_token_leaked")  # Compromised credentials
messages = client.messages.list(limit=100)  # Access SMS logs

The Steam support system has also shown vulnerabilities, with reports of attackers bypassing Steam Guard 2FA by providing stolen payment details through support tickets⁴. In some cases, Steam Support removed 2FA protections after receiving partial payment information, enabling account takeovers.

Security Implications

This incident demonstrates several critical security concerns. First, SMS-based 2FA remains vulnerable to interception and supply chain attacks. Second, third-party dependencies create potential single points of failure in authentication systems. Finally, the difficulty in migrating from Authy (Twilio’s authentication app) compounds these issues, as users report challenges extracting TOTP seeds due to recent desktop app deprecation¹.

Security professionals should note that while Twilio denies a breach, the practical impact is similar – attackers gained access to sensitive authentication data. This highlights the importance of defense-in-depth strategies that don’t rely solely on any single authentication method or provider.

Recommendations

For organizations using Twilio services:

Audit and rotate all API keys and credentials
Implement rate-limiting and row-level security for API access
Monitor for unusual access patterns in SMS logs

For end users:

Transition from SMS 2FA to TOTP apps or hardware security keys
Monitor Steam account activity for unauthorized access
Consider using unique email addresses for gaming accounts

The Twilio-Steam incident serves as a reminder of the evolving challenges in authentication security. As attackers increasingly target the weakest links in security chains, organizations must evaluate their dependencies and implement layered defenses. While no single solution is foolproof, reducing reliance on SMS-based authentication and strengthening API security controls can significantly mitigate these risks.