Sophos Cloud Optix
Users of the popular live streaming service Twitch were yesterday told that all their stream keys and passwords have been voided after the San Francisco-based startup noted “unauthorized access to some Twitch user account information”.
The company, which allows users to stream their gameplay to interested spectators, also revealed that accounts had been disconnected from Twitter and YouTube as part of its security response, presumably as a precaution to prevent further account hijacking.
While we hope that Twitch-using Naked Security readers are savvy enough to never use the same password twice, the company posted advice to users to change their login credentials elsewhere on the web if they had made that mistake.
Twitch also issued some advice about creating a new password, highlighting the insecurity of using dictionary words and promoting the use of a password manager.
Of course, a properly crafted password is one thing, but adding two factor authentication would offer an extra level of protection – something which Twitch currently doesn’t offer.
The blog post makes no mention of how the security incident occurred or just how many accounts were targeted – Twitch says it is in the process of contacting affected users directly – but the service, which was bought by Amazon for $970 million last year, is thought to have over 55 million users.
Those who have been affected by the breach are receiving an email from Twitch which gives some detail about the type of information the attackers may have walked off with:
We are writing to let you know that there may have been unauthorized access to some of your Twitch user account information, including possibly your Twitch username and associated email address, your password, the last IP address you logged in from, limited credit card information (card type, truncated card number and expiration date), and any of the following if you provided it to us: first and last name, phone number, address, and date of birth...
... While we store passwords in a cryptographically protected form, we believe it's possible that your password could have been captured in clear text by malicious code when you logged into our site on March 3rd.
So, if you have re-used your password elsewhere online, please go and change it. And make sure your passwords are different for each and every account you have. Always.
The slightly better news is that Twitch has told its users that the service neither stores nor processes full credit or debit card data – so users are unlikely to see unauthorised payments leaving their accounts.
A complicating factor is that a lot of the login information for the old sister site ‘Justin.tv’ was “converted” by the users to work on Twitch. If some of the users then didn’t actually use Twitch they might not be aware that the site retained all of their info. We hope they will receive one of the emails – like I did. They will need to create a new (temporary) password on the system, and then deactivate/disable the account if they don’t want to use it. (Scroll down on the Settings page to see the deactivate link.)
screw twitch, they killed justintv without notice and screwed lots of people.