Twitch user info breached, users prompted to change passwords

Some unsavory types have breached Twitch and may have accessed user account information. Users are being prompted to change their passwords.

21

Twitch is alerting users of a possible data breach. As a result, user information may have been accessed and the company is prompting users to change their passwords.

The full statement is on the Twitch blog:

"For your protection, we have expired passwords and stream keys and have disconnected accounts from Twitter and YouTube. As a result, you will be prompted to create a new password the next time you attempt to log into your Twitch account. We also recommend that you change your password at any website where you use the same or a similar password. We will communicate directly with affected users with additional details."
Senior Editor

Ozzie has been playing video games since picking up his first NES controller at age 5. He has been into games ever since, only briefly stepping away during his college years. But he was pulled back in after spending years in QA circles for both THQ and Activision, mostly spending time helping to push forward the Guitar Hero series at its peak. Ozzie has become a big fan of platformers, puzzle games, shooters, and RPGs, just to name a few genres, but he’s also a huge sucker for anything with a good, compelling narrative behind it. Because what are video games if you can't enjoy a good story with a fresh Cherry Coke?

Filed Under

From The Chatty

  • reply
    March 23, 2015 1:05 PM

    Ozzie Mejia posted a new article, Twitch user info breached, users prompted to change passwords

    • reply
      March 23, 2015 1:38 PM

      The site tells you to pick a stronger password if what you entered is not strong enough. However, the site never defines what a strong password is composed of.

      • reply
        March 23, 2015 1:56 PM

        Protein powder + Creatine

      • reply
        March 23, 2015 1:59 PM

        Yeah love that especially coming from a site where apparently they apparently didn't make that great of an effort to secure their shit.

        • reply
          March 23, 2015 2:01 PM

          Well if you are still choosing passwords (instead of using autogen passwords and KeePass/LastPass) I would strongly suggest you re-evaluate your approach to web security. I just changed one random 20-char password for another, and I don't have to worry about whether I used the password at other sites or something.

          • reply
            March 23, 2015 2:14 PM

            Stuff that I care about uses two factor or has additional, non-web based protections.

            Stuff like twitch? I'm not a streamer nor do I sub to any channels, so literally the only info contained within my twitch account is the channels I follow. If someone wants to hijack that - more power to them. I'll pick something silly and stupid.

            • reply
              March 23, 2015 2:41 PM

              I'm at the point with KeePass where a random pw and something silly and stupid are equally easy. Also, silly pws have a way of becoming overused over time. Like maybe it's used for a site you don't care about but then 2 years later you care more about the site than you used to. Or maybe you reuse your silly pw and then the total sum of all accounts using that pw is something you might care more about protecting than the individuals.

              • reply
                March 23, 2015 3:08 PM

                I can handle my passwords fine.

                Generally, a silly password coincides with a silly username, so if I cared about it or got into it more than a new username/account would follow.

      • reply
        March 23, 2015 2:04 PM

        correct horse batteries presumably

      • reply
        March 23, 2015 3:12 PM

        Holy shit this is annoying.

      • reply
        March 23, 2015 11:08 PM

        said 'Great!' for me

    • reply
      March 23, 2015 1:39 PM

      Oh, that's why I needed to change my pass. Lame.

    • reply
      March 23, 2015 1:51 PM

      LastPass makes dealing with stuff a two-click affair, sweet.

      • reply
        March 23, 2015 2:01 PM

        Not exactly, for this site. Wish twitch had the auto password ability as some of the larger sites.

    • reply
      March 23, 2015 1:55 PM

      Thanks for the heads up!

    • reply
      March 23, 2015 1:59 PM

      You also will have a new streaming key according to the info here: http://thenextweb.com/insider/2015/03/23/twitch-accounts-were-compromised-passwords-being-reset/

      GG Twitch. At least we heard about the compromise and action was taken quickly.

      • reply
        March 23, 2015 6:02 PM

        Not exactly. They didn't share how long they knew about the breach, or when they discovered the breach happened. The breach could have happened a month ago, and Twitch/Amazon could have just found out about it seven days ago, and could only just now be alerting the community.

        • reply
          March 23, 2015 6:20 PM

          True. I'm also interested to what degree Steam-linked info was leaked too from when I associated my Twitch account with my Steam ID for Dota2 match tracking. I get a fair amount of spam from Steam scammers and I often wonder where it comes from.

          • reply
            March 23, 2015 8:38 PM

            It doesn't look like they have released any details on the severity of the breach, and they probably won't either. Sony caught a bad wrap for with holding information about how bad their incident was, and how long they took to inform those who were affected, but almost any company acts in the same exact way in these situations. Sadly is has nothing to do with protecting it's users.

    • reply
      March 23, 2015 1:59 PM

      I think my password was asdfasdfasdf2 or some shit like that.

      • reply
        March 23, 2015 2:05 PM

        True programmer here

      • reply
        March 23, 2015 6:15 PM

        dammit, now i gotta change mine again

      • reply
        March 23, 2015 10:30 PM

        That's amazing, I've got the same password on my luggage

      • reply
        March 23, 2015 11:09 PM

        Y<a19(bCD1O1|yw_1ENY@6c2IoM267Vj%%1Ch,gd1FF636Pz8snG5J547

        • reply
          March 24, 2015 12:56 AM

          x:~$ pwgen --symbols --numerals --capitalize 58 1
          Y<a19(bCD1O1|yw_1ENY@6c2IoM267Vj%%1Ch,gd1FF636Pz8snG5J547


          oh shiit!

    • reply
      March 23, 2015 2:13 PM

      for fucks sake

    • reply
      March 23, 2015 2:17 PM

      I still just use "password" for everything. No problems yet.

    • reply
      March 23, 2015 2:19 PM

      Already changed, ezpz

    • reply
      March 23, 2015 2:26 PM

      everyone blame kill9

    • reply
      March 23, 2015 3:22 PM

      They can do what they like with my Twitch account. My account is bogus anyway.

    • reply
      March 23, 2015 4:07 PM

      Christ, do I need nuclear launch codes as my password now? I used one with multiple capitol letters, symbols, and numbers and it still says it's too weak. Wtf?

    • reply
      March 23, 2015 9:16 PM

      Tried to login and now I have been waiting on the reset email for 2-3 hours now.

      • reply
        March 23, 2015 9:22 PM

        SM me later if this is still a problem

        • reply
          March 23, 2015 11:43 PM

          Still no email but I'm going to bed. Hopefully tomorrow by the time I wake up maybe. Tried to reset 3 times so far though. I figure it's just a high server load or something though.

    • reply
      March 23, 2015 10:28 PM

      OK, I'm sick of this shit and will start using KeePass. What's a secure yet practical method for handling ones password database. Should I also use a key-file? Where do you guys back these files up safely? Only at home or do you risk cloud storage?

      • reply
        March 23, 2015 10:37 PM

        LastPass?

      • reply
        March 23, 2015 11:18 PM

        I use a nice high-entropy password that's not super long that I have memorized to protect the DB, and it's also kept as a private file on my DropBox which has a cryptographically strong password (stored in the DB of course!). So there are local and cloud copies of the DB but all pretty well protected and given the brute-force resistance of KeePass I'm not too worried about it even if a computer or phone were stolen. If I get a new device, let's say a new computer or something, I download DropBox, use my phone to open KeePass there and show my password, then I type the DropBox password in and my DB gets synced. Then I download KeePass and I'm good to go on the new device. Open KeePass with memorized pw, select site, Ctrl-C, Ctrl-V is really fast and second nature at this point. I could set up auto-type but I rarely use it because it's not honestly a chore to handle this way.

      • reply
        March 24, 2015 1:02 AM

        Onedrive and a Master password for me.

        Syncs fine with windows, Windows phone and ios.

      • reply
        March 24, 2015 7:26 AM

        Keyfile, back-up your DB offline, single use password for your PW DB,

    • reply
      March 23, 2015 11:11 PM

      Lucky me, that's one of the few sites where I just let Keepass generate the password for me so it's completely random and secure.

      • reply
        March 23, 2015 11:20 PM

        Yeah, it's really nice knowing that you never knew your pw in the first place so there's no mental space impacted by the leak, just regen in KeePass, update, and move on. I'm sold on this approach now too, I have very few human-generated passwords left now, which means they can be much stronger passwords and still pretty easy to remember.

    • reply
      March 24, 2015 1:20 AM

      Again? This exact thing happened a couple of years ago.