Twitch users told to change passwords amid hack fears


Users of the Amazon-owned video game streaming service Twitch have been instructed to change their passwords amid fears the site has been hacked.

Twitch told users that their names and phone numbers were among the details feared to have been leaked.

It said it had deleted passwords, which were encrypted, and disconnected users’ accounts from Twitter and YouTube.

But the site came in for criticism after it appeared to condone users setting weak replacement passwords.

As of July last year, Twitch had more than 55 million unique monthly viewers.

In an email to users, Twitch said: “We are writing to let you know that there may have been unauthorised access to some of your Twitch user account information, including possibly your Twitch username and associated email address, your password (which was cryptographically protected), the last IP address you logged in from, and any of the following if you provided it to us: first and last name, phone number, address, and date of birth.”

It also said that it did not store or process full credit card information.

In a separate statement published on its blog, Twitch did not directly admit that it had been hacked.

“There may have been unauthorised access to some Twitch user account information,” it said.

‘Grumbling users’

When asked by the BBC, a Twitch spokesman refused to confirm whether or not it knew for sure that a breach had taken place.

However, in an email to users, the company said it had deleted all passwords and users would be prompted to choose a new one the next time they tried to log in.

After complaints from some users that the minimum requirement for replacement passwords was too restrictive, Twitch lowered its threshold, requiring only eight-digit passwords.

That prompted criticism from security experts.

“Following a hack, most companies strengthen their security – but in Twitch’s case they actually watered it down to appease grumbling users who haven’t yet learned that maybe life would be easier and safer if they simply used a password manager,” wrote security consultant Graham Cluley on his blog.

“Part of me really wishes [Twitch] had stuck to its guns and demanded lengthy passwords to be used, as that would surely have encouraged a least a few more users to try out a password management utility,” he added.

“It should go without saying that if your password has potentially been breached on a site like Twitch, you better make sure that you are not using the same password anywhere else on the internet.”


David Emm, principal security researcher at Kaspersky Lab, said: “Fortunately, in this instance passwords were encrypted, minimising the risk of passwords being used by the hackers. However, the fact that names, addresses and other personal details were not will be cause for concern for many customers.

“Our passwords are our first line of defence when it comes to protecting ourselves from cybercriminals, so it’s important that businesses and we as consumers take steps to keep these protected.”

Mr Emm advised choosing a password at least 12 characters long that contained a mixture of numbers, letters and symbols.

Amazon bought Twitch Interactive last year for $970m (£650m), beating a rival bid from Google Inc.