Update - October 15: Twitch has confirmed that passwords were not exposed in last week's security breach, and apologised to users.
In a statement issued on its blog (opens in new tab), the streaming service reiterated that "the incident was a result of a server configuration change that allowed improper access by an unauthorized third party." The company claims its team "took action to fix the configuration issue and secure our systems."
Twitch also states that "passwords have not been exposed," and that "we are also confident that systems that store Twitch login credentials [...] were not accessed, nor were full credit card numbers or bank information." Instead, the data contained information regarding the platform's source code, and some concerning creator payouts. With that in mind, Twitch says it is "confident that it only affected a small fraction of users and the customer impact is minimal." Those who were impacted will be contacted directly.
The statement closes by stating that "we take our responsibility to protect your data very seriously. We have taken steps to further secure our service, and we apologize to our community."
Update - October 7: Twitch account login and credit card information was seemingly unaffected by the site's recent data breach, Twitch says, but the company's understanding of the incident is still evolving.
"We are still in the process of understanding the impact in detail," Twitch said in a recent update (opens in new tab). It was quick to add that "at this time, we have no indication that login credentials have been exposed. We are continuing to investigate. Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed."
If credit card information isn't even stored on Twitch's servers, we can reasonably trust that info wasn't affected by this server breach, but login details are a bit more dicey. Even if Twitch doesn't discover any overlooked account vulnerabilities in its ongoing investigation, it's always a good idea to change your passwords after hacks like this, especially if you were using that password for multiple logins (which you should never do, by the way).
This update also shed some light on the cause of this breach, namely "an error in a Twitch server configuration change that was subsequently accessed by a malicious third party." Though the affected data was just recently shared online, it's unclear when this error and subsequent malicious access actually occurred.
As it continues to unpick this hack, Twitch has reset all stream keys "out of an abundance of caution." This probably won't affect you if you aren't a streamer yourself, but if you want you can confirm your new stream key here (opens in new tab).
Twitch has confirmed reports that the streaming service has been breached and is currently trying to establish the extent of it.
A statement published on Twitter (opens in new tab)earlier today, October 6, reads: "We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us."
This is the first statement from the company after reports that a huge data leak had taken place (via VGC (opens in new tab)). These reports stem from a 125GB torrent file that was posted to an internet forum which reportedly includes source files for the site, creator payouts from 2019, and encrypted passwords. VGC reports that that the justification for the leak was that it would “foster more disruption and competition in the online video streaming space”.
The leak also reportedly revealed the existence of a service that was in development called 'Vapor', which appears to be an Amazon Games Studio competitor to Steam which would be integrated with Twitch. Amazon and Amazon Games Studio is yet to comment on details of the leak.
With a major breach like this, you really should change your Twitch password - and any password associated with the account - immediately. It's also worth turning on two-factor authentication with your Twitch account, as this means that any attempt to log in to your account will be flagged via your mobile phone.
We'll update this story as soon as Twitch confirms the extent of the leak.