Twitch says no user passwords or cards numbers were exposed in major hack
Image: Twitch
Catalin Cimpanu October 7, 2021

Twitch says no user passwords or cards numbers were exposed in major hack

Twitch says no user passwords or cards numbers were exposed in major hack

In the aftermath of a major security breach that came to light yesterday, Twitch has now issued a formal statement to assure users that no passwords or payment card numbers were stolen or leaked online.

“At this time, we have no indication that login credentials have been exposed,” the company said in a blog post today.

“Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed,” it added.

Twitch said it also reset all stream keys as a result of the incident. Users who stream on the site would most likely need to obtain a new one from their Twitch profile backends.

The Amazon-owned company said that while it is still investigating the breach, it believes the breach occured because of “an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.”

That third party collected data from Twitch’s backend systems and released “part one” via a torrent file shared on 4chan.

The data trove, downloaded and analyzed by The Record, contained the source code for the Twitch.tv portal, backend applications and programming libraries, unreleased projects, security and user management tools, but also details about payouts to all Twitch users part of the company’s creator program.

Twitch-leak
Image: The Record

The leaker promised to release more data but did not provide a timeline. The threat actor said they leaked the data as a response to Twitch’s poor handling of “hate raids,” bot attacks that have flooded the chats of top streamers with abusive content.

Twitch’s explanation for the cause of the breach is consistent with what Thomas Shadwell, who founded Twitch’s security team in 2014, told ISMG in an interview yesterday, namely that Twitch developers used security keys to authenticate, suggesting the leak could have occurred via a server issue, rather than a compromised employee account.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.