Lifestreaming: Twitch Hacked, User Info Possibly Swiped

Internet, Internet, where will hackers strike next? Round and round and round we go, where the security hole stops, no one kn- oh! Twitch! It’s Twitch! Streaming service Twitch has been hacked.

Twitch announced last night that “there may have been unauthorized access to some Twitch user account information”, so they’re resetting all logins and access for everyone. If you’re lucky, you only need to reset your password and change your streaming software settings. If unlucky, well, naughty folks may have your name, address, phone number, date of birth, and more.

Twitch have reset all passwords and stream keys, which are simple enough for you to change. If you still use the same password on multiple sites – for goodness sake’, don’t do this, use a password manager like KeePass or LastPass to generate unique, weird passwords – then you should also change your pass on every site sharing it.

As for the worst case scenario, Twitch sent this e-mail out to members:

We are writing to let you know that there may have been unauthorized access to some of your Twitch user account information, including possibly your Twitch username and associated email address, your password, the last IP address you logged in from, limited credit card information (card type, truncated card number and expiration date), and any of the following if you provided it to us: first and last name, phone number, address, and date of birth.

PLEASE NOTE: Twitch does not store or process full credit or debit card information, so your card number is safe.

While we store passwords in a cryptographically protected form, we believe it’s possible that your password could have been captured in clear text by malicious code when you logged into our site on March 3rd.

Sounds nasty, that.

27 Comments

  1. Artist says:

    Trough 20 years of efford weve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess

      • Rymdkejsaren says:

        I use this method on all my important accounts now, then use standard pws for less important stuff. I have about ten of those passwords going so far and I am yet to forget a single one, despite them being ~25 characters each. It’s brilliant.

        • plsgodontvisitheforums_ says:

          Hard to guess for humans, not that problematic for a couple of GPU’s to brute force relatively easilly.

          • jrodman says:

            For a properly secured service, the computing power behind the bruteforcing can be made irrelevant by throttling the number of requests, and identifying clear brute-force attempts.

            Of course if the password hash store is obtained, then computation power becomes relevant.

            A good passphrase though easily can achieve 64bits of entropy. Just introduce some nondictionary words and a one or two uncommon substitutions combined with LENGTH, and suddenly your hash is not going to be worth their time unless you’re being targetted specifically.

            Of course that’s where using unique passwords comes in. If they already have access to the hash database, they probably don’t need your password for that service, only for other ones.

          • April March says:

            It’s only 64 bits of enthropy if you don’t advertise your password is four common English words. If you do it’s just four.

          • jrodman says:

            The number of common english words is about 10,000. A choice among 10,000 items is 2^10, or ten bits. So four words at random would be around 40 bits. Repeat this math for whatever you think is the set of common words. It’s *definitely* not four.

          • jrodman says:

            Er, I mean 2^x = 10k.

      • kevmscotland says:

        The difficulty with this is a lot of sites don’t even let you create such a password, forcing you to use a range of characters mixed with capitals and numbers etc.

        So yes, this is the better system but annoyingly security has adopted the same method we have.

    • jrodman says:

      I’m not seeing the link from this point to the article.

      The article is saying “use unique passwords per site”. xkcd is saying “here is a way to remember a password with high entropy”. The problem with the xkcd position is that modern internet patterns require knowledge of far too many passwords to remember no matter how easy the system. That’s why lastpass and similar are useful, to give a sane workflow to have a hundred passwords or whatever.

      • Artist says:

        You really need the link explained???

        • jrodman says:

          I demonstrated a full grasp of the issues, and contributed a complete thought. Your turn.

        • Dare_Wreck says:

          That “correct horse battery staple” password generation technique is useful for creating a good single password, but it’s problematic for two big reasons: 1) as kevmscotland pointed out above, most sites unfortunately won’t let you store a password that long. And 2) it’s not useful for managing the dozens and dozens of accounts most people have these days – since you really need a unique password for each account, you might as well be using a password manager to manage them, and then you might as well be using their random character generators to create your passwords, which is better than a memorable password such as “correct horse battery staple”.

          • April March says:

            It strikes me that the ‘correct horse’ school of password would be impossible for any site that limits the size of passwords to sixteen characters or so but forces you to have at least one number. A bit like a law that forces you to wear helmets in cars but forbids seatbelts.

          • jrodman says:

            To be clear, reasonable password handling does not *store* any passwords. But yes many sites refuse to let you provide long passwords. And even if they DO let you provide long passwords, you don’t have a guarantee that the site uses all the text (unless you check), as older password algorithms simply discarded chracters over a certain length. (This was the norm in the early 90s.)

  2. The Dark One says:

    On the plus side, some dude managed to make a Hearthstone turn that normally takes 90 seconds into something that’s been going on for over twenty hours and isn’t even half-finished: link to twitch.tv

  3. phelix says:

    Got an email, too. Haven’t used my twitch acc in years. Haven’t used the associated password for anything else in the last 2 years. Should I be worried?

    • Artist says:

      “Only because youre paranoid does not mean nobody is following you….”

  4. SaintAn says:

    I like how they avoided the fact that it was their fault and they got hacked. From how they worded it I thought I got hacked.

  5. Stuart Walton says:

    I would put a new password on my account because the form that appears when I try to log in states that my account has no email address.

    I can use the link in an old Twitch email to update my email address but that still doesn’t let me reset my password.

    Seems I’m not the only one having this issue, judging by the Twitch help portal.

  6. Incompleteness says:

    Drat, they’re having everyone reset their password and I haven’t given them a proper e-mail.

  7. DanMan says:

    Websites should really encrypt user information. Yes, it’s a PITA, but safe is safe.

  8. DrManhatten says:

    I am pretty sure Steam will be next on the list, it is now such an interesting attack vector and Valve’s security has been proven in the past to be well not ideal.

  9. Smoky_the_Bear says:

    While LastPass looks like a good little browser addon, half of the passwords I use are for separate launchers (Steam, Origin, Spotify, Battlenet etc etc, as well as individual game launchers), anything available to do similar for these sorts of passwords as I like the idea of using something like the programs discussed but if I still have to remember a whole bunch of passwords that are open to hacking it kinda makes it less desirable.

    • Smoky_the_Bear says:

      Also what happens if you are using a public computer that won’t let you install Lastpass etc onto the browser? Are you up shit creek at that point with no way to login to stuff?

      • tetracycloide says:

        Two options:

        Thumb drive with your password locker on it, preferably encrypted.
        Password locker installed on a mobile phone so you can copy it manually.