tyl0413 5 月 14 日 上午 3:57
Steam SMS 2FA provider Twilio hacked
Because for some reason nobody gets the memo until its too late, can at least now after the fact Valve stop forcing us to use horribly insecure and inconvenient ♥♥♥♥ like SMS 2FA instead of just supporting way more secure and convenient modern solutions like an open implementation of TOTP (not the crap they lock behind the SMS and their proprietary phone app), passkeys and hardware security keys? I've been saying this for years and no one cared, have fun with the hackers/scammers now then.
Twilio seems to get hacked like every few months but some reason they're still widely used.

https://www.bleepingcomputer.com/news/security/twilio-denies-breach-following-leak-of-alleged-steam-2fa-codes/
< >
正在显示第 1 - 15 条,共 70 条留言
Realigo Actual 5 月 14 日 上午 4:21 
If phones were so secure at rest, auto reboots wouldn't have become a thing. Device-based 2FA isn't a country mile better if that device has network or wireless connectivity, which is by the majority
Carlos100 5 月 14 日 上午 4:25 
did you actually read the stuff on the link?
Make sure you triple check stuff before posting
tyl0413 5 月 14 日 上午 4:28 
That's why you get a security key like a Yubikey/Nitrokey if you want maximum security, i think you can't even upgrade the firmware on the Yubikey because they don't want that to become a possible source of infection.
But SMS based 2FA is the worst, SMS has 0 encryption whatsoever, providers like Twilio get hacked constantly, SIM swaps are common, phone numbers are valuable for phishing, scammers and other undesirables literally have access to many phone providers backed, its just plain inconvenient when I can have TOTP on PC, etc it never even should've been a thing its so terrible and its time that Steam stops forcing it, thats the main problem, if for whatever insane reason someone chooses to use it, their problem okay, but don't force me to use it because you don't care to support better options.
Steam doesn't force it. They would PREFER you use the app like a normal person. You can also use email 2fa. he fact that such a small portion of the userbase is affected shows how few people were using the sms option in the first place
Aluvard 5 月 14 日 上午 4:32 
Not to mention that Twilio isn't Steam 2FA provider.

https://x.com/MellowOnline1/status/1922458687316074640
Realigo Actual 5 月 14 日 上午 4:33 
引用自 Carlos100
did you actually read the stuff on the link?
Make sure you triple check stuff before posting

I did read it. It seems to suggest that the this breach was not on users' side but more on the Valve side. This is one explanation for the all the posts talking about how their guard was defeated when they don't trade etc. But my point was, device-based 2FA isn't a silver bullet because that ♥♥♥♥ can and do just be lifted off the phones where it is.
引用自 Realigo Actual
引用自 Carlos100
did you actually read the stuff on the link?
Make sure you triple check stuff before posting

I did read it. It seems to suggest that the this breach was not on users' side but more on the Valve side. This is one explanation for the all the posts talking about how their guard was defeated when they don't trade etc. But my point was, device-based 2FA isn't a silver bullet because that ♥♥♥♥ can and do just be lifted off the phones where it is.
So you didn't read it then, since it clearly states that it most likely WASN'T on Valves side
tyl0413 5 月 14 日 上午 4:34 
Steam doesn't force it. They would PREFER you use the app like a normal person. You can also use email 2fa. he fact that such a small portion of the userbase is affected shows how few people were using the sms option in the first place
Yes it does, functionality like trading and the market is restricted if you're not using their crap mobile app, and to use that you must use SMS too because they do not let you set up their crap proprietary authenticatior without having SMS on first. Yeah 89 million is a very insignificant number.
引用自 tyl0413
Steam doesn't force it. They would PREFER you use the app like a normal person. You can also use email 2fa. he fact that such a small portion of the userbase is affected shows how few people were using the sms option in the first place
Yes it does, functionality like trading and the market is restricted if you're not using their crap mobile app, and to use that you must use SMS too because they do not let you set up their crap proprietary authenticatior without having SMS on first. Yeah 89 million is a very insignificant number.
out of nearly 2 billion accounts? Yes, that is a VERY small subset of the userbase. Less than 5%

But way to expose yourself there.
Realigo Actual 5 月 14 日 上午 4:36 
引用自 Realigo Actual

I did read it. It seems to suggest that the this breach was not on users' side but more on the Valve side. This is one explanation for the all the posts talking about how their guard was defeated when they don't trade etc. But my point was, device-based 2FA isn't a silver bullet because that ♥♥♥♥ can and do just be lifted off the phones where it is.
So you didn't read it then, since it clearly states that it most likely WASN'T on Valves side

If Valve was using Twilio to send the codes out, and Twilio has a breach, then you think that's more on the user side?
falcaux 5 月 14 日 上午 4:37 
I left Twilio a while ago. It's not the first time they've been at the center of data leaks
https://9to5mac.com/2024/07/04/authy-hack/
But in any case I don't need an OTP to access Steam. I have installed Steam on iPhone and I have to approve requests from smartphone
最后由 falcaux 编辑于; 5 月 14 日 上午 4:39
引用自 Realigo Actual
So you didn't read it then, since it clearly states that it most likely WASN'T on Valves side

If Valve was using Twilio to send the codes out, and Twilio has a breach, then you think that's more on the user side?
Or the Twilio side.
Aluvard 5 月 14 日 上午 4:39 
引用自 Realigo Actual
So you didn't read it then, since it clearly states that it most likely WASN'T on Valves side

If Valve was using Twilio to send the codes out, and Twilio has a breach, then you think that's more on the user side?


引用自 Aluvard
Not to mention that Twilio isn't Steam 2FA provider.

https://x.com/MellowOnline1/status/1922458687316074640
引用自 Realigo Actual
So you didn't read it then, since it clearly states that it most likely WASN'T on Valves side

If Valve was using Twilio to send the codes out, and Twilio has a breach, then you think that's more on the user side?
You are pretending this is a zero sum game. It's not "either Valve or the user" and pretending otherwise is dishonest. If your ISP leaks your steam credentials because their data gets intercepted, thats not on "your "end, but its not on Valve's end either. Put the blame where it belongs.
Realigo Actual 5 月 14 日 上午 4:50 
引用自 Aluvard
引用自 Realigo Actual

If Valve was using Twilio to send the codes out, and Twilio has a breach, then you think that's more on the user side?


引用自 Aluvard
Not to mention that Twilio isn't Steam 2FA provider.

https://x.com/MellowOnline1/status/1922458687316074640

Ah, so not on Valv'e side then. I did think it was a bit plebian for Valve, but Twilio is a well-known name in VOIP and business phone systems.

So that's interesting. Twilio is more backend-focused. Makes me wonder if trader bots were the accounts involved.
< >
正在显示第 1 - 15 条,共 70 条留言
每页显示数: 1530 50