Twitch, Amazon’s game video streaming service, has reset passwords for all its users after warnings of a security breach that could have allowed hackers to access usernames, passwords and other personal information.
According to a blog post Twitch published Monday night, current passwords have expired and users will need to create a new password the next time they log in. Accounts are also disconnected from Twitter and YouTube. As is standard practice, anyone who has used the same password for multiple services should assume it has been compromised and create a new and unique access code for each property. Credit card information was not compromised, the company said.
Monday’s advice provided few details. Emails sent to users state that hackers may have gained unauthorized access to Twitch usernames and associated email addresses, encrypted passwords, the last IP address users logged in with, and – for users who provided such information – first and last name, telephone numbers, addresses and dates of birth. According to a report from Venturebeat, a separate email sent only to selected users yielded an intriguing extra detail. “While we store passwords in a cryptographically protected form, we believe it’s possible that your password was captured in clear text by malicious code when you logged into our site on March 3,” the post read.
The full text of the much-sent email read:
We are writing to notify you that there may have been unauthorized access to some of your Twitch user account information, which may include your Twitch username and associated email address, your password (which was cryptographically protected), the last IP address you logged in , and one of the following if you have provided it to us: first and last name, telephone number, address and date of birth.
For your protection, we have expired your password and stream keys. Additionally, if you had linked your account to Twitter or YouTube, we’ve disconnected it.
The next time you try to log in to your Twitch account, you will be prompted to create a new password. If applicable, you will also need to reconnect your account to Twitter and YouTube, and reauthenticate via Facebook after changing your password. We also recommend that you change your password on any other website where you use the same or a similar password.
We apologize for this inconvenience.
The Twitch team
Oddly enough, at the same time they reported the breach, Twitch officials relaxed password requirements for users, allowing them to use just eight characters. As Ars explained earlier, eight is the bare minimum number of characters required to secure a remote password, and each additional character provides an order of magnitude more entropy. Even worse for the security of Twitch users, according to a tweet from password researcher Bruce K. Marshall, Twitch allowed users to choose the same potentially compromised password that had just expired. There is little doubt that many users will opt for this more convenient option, losing any benefit they may have gained from the mandatory reset.