Streaming video giant Twitch is forcing users to change their passwords after what was described as unauthorised access to some Twitch user account information”.
Furthermore, some users who have already reset their passwords have been contacted again to say that their new password needs changing following another infringement.
For your protection, we have expired passwords and stream keys and have disconnected accounts from Twitter and YouTube,” a statement read. As a result, you will be prompted to create a new password the next time you attempt to log into your Twitch account.
We also recommend that you change your password at any website where you use the same or a similar password. We will communicate directly with affected users with additional details.”
VentureBeat has a copy of the email subsequently sent to those believe to be affected:
We are writing to let you know that there may have been unauthorised access to some of your Twitch user account information, including possibly your Twitch username and associated email address, your password, the last IP address you logged in from, limited credit card information (card type, truncated card number and expiration date), and any of the following if you provided it to us: first and last name, phone number, address, and date of birth.
Twitch does not store or process full credit or debit card information, so your card number is safe. While we store passwords in a cryptographically protected form, we believe it's possible that your password could have been captured in clear text by malicious code when you logged into our site on March 3rd.”
The company has denied that the breach was related to last week's service outage, claiming instead that it was caused by an internal tech issue”.
In the last hour it has also emerged that Twitch has been contacting some users asking for a second change of password following what it describes as yet more security breaches.
Ummm....Twitch? Did you fail to ALSO secure the password reset form yesterday after they hacked your frontend? Why should I trust you again?— Chris Higgins (@higgyC) March 24, 2015
@BenParfitt just got another email from them saying they've expired the new password after "there may have been some unauthorised access"— Chris Higgins (@higgyC) March 24, 2015