The gamers’ social video service Twitch, which was purchased last year by Amazon, recently announced that “there many have been unauthorized access to some Twitch account user information” (h/t Ars Technica).
“For your protection, we have expired passwords and stream keys and have disconnected accounts from Twitter and YouTube,” the company stated. “As a result, you will be prompted to create a new password the next time you attempt to log into your Twitch account. We also recommend that you change your password at any website where you use the same or a similar password.”
Still, PasswordResearch.com’s Bruce K. Marshall reported that following the forced password change, Twitch unfortunately “accepted my same old password just fine as ‘new’ choice.”
According to an e-mail sent to users, the “account user information” exposed may have included user name, e-mail address, hashed password, last IP address logged in from, and (if provided to Twitch) full name, phone number, address and birthdate.
VentureBeat reports that some users also received the following statement: “While we store passwords in a cryptographically protected form, we believe it’s possible that your password could have been captured in clear text by malicious code when you logged into our site on March 3rd.”
STEALTHbits strategy and research officer Jonathan Sander told eSecurity Planet by email that gamers, who regularly spend money online, are a logical target for cybercriminals. “With a user base in excess of 45 million, Twitch is a treasure trove of valuable user data,” he said. “It’s wise that Twitch advises their users to also change passwords on other sites where they may have used similar passwords.”
“All security folks know that passwords are a necessary evil, and if you were looking for a poster child for why we need a better way then Twitch will likely be your choice,” Sander added.
A recent eSecurity Planet article examined three key tools for enforcing password policies.