Support VGC

Twitch says there’s ‘no indication’ that login details were exposed in data leak

The streaming service also assures users that credit card information wasn’t taken

Twitch says there’s ‘no indication’ that login details were exposed in data leak

Twitch has released an update on the huge security breach it suffered on Wednesday, stating that it hasn’t yet seen evidence that login details were taken.

An update on the Twitch blog says the cause of the leak was “due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party”.

Although it doesn’t outright deny that login details were stolen, it claims: “At this time, we have no indication that login credentials have been exposed. We are continuing to investigate.”

It is, however, more certain that credit card information wasn’t stolen, stating: “Full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed.”

The statement explains that the investigation is still ongoing, and Twitch is “still in the process of understanding the impact in detail”.

An anonymous hacker claimed to have leaked the entirety of Twitch on Wednesday, including its source code and user payout information.

The hacker posted a 125GB torrent link to 4chan, stating that the leak was intended to “foster more disruption and competition in the online video streaming space” because “their community is a disgusting toxic cesspool”.

VGC later verified that the files mentioned on 4chan are publicly available to download as described by the anonymous hacker.

As well as Twitch’s source code and and information on how much money the company has paid to streamers since August 2019, the leaked data reportedly includes proprietary SDKs and internal AWS services used by Twitch.

Further reading

Although claims that the torrent also includes encrypted passwords are now being challenged, it’s still recommended that users change their Twitch passwords to be safe.

If you have a Twitch account, it’s recommended that you also turn on two-factor authentication, which ensures that even if your password is compromised, you still need your phone to prove your identity using either SMS or an authenticator app.