Twitch wipes stream keys amid breach investigation but says logins and credit cards are safe

Update - October 7: Twitch account login and credit card information was seemingly unaffected by the site's recent data breach, Twitch says, but the company's understanding of the incident is still evolving.

"We are still in the process of understanding the impact in detail," Twitch said in a recent update. It was quick to add that "at this time, we have no indication that login credentials have been exposed. We are continuing to investigate. Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed." 

If credit card information isn't even stored on Twitch's servers, we can reasonably trust that info wasn't affected by this server breach, but login details are a bit more dicey. Even if Twitch doesn't discover any overlooked account vulnerabilities in its ongoing investigation, it's always a good idea to change your passwords after hacks like this, especially if you were using that password for multiple logins (which you should never do, by the way). 

This update also shed some light on the cause of this breach, namely "an error in a Twitch server configuration change that was subsequently accessed by a malicious third party." Though the affected data was just recently shared online, it's unclear when this error and subsequent malicious access actually occurred.

As it continues to unpick this hack, Twitch has reset all stream keys "out of an abundance of caution." This probably won't affect you if you aren't a streamer yourself, but if you want you can confirm your new stream key here. 

Original story:

Twitch has confirmed reports that the streaming service has been breached and is currently trying to establish the extent of it. 

A statement published on Twitter earlier today, October 6, reads: "We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us."

This is the first statement from the company after reports that a huge data leak had taken place (via VGC). These reports stem from a 125GB torrent file that was posted to an internet forum which reportedly includes source files for the site, creator payouts from 2019, and encrypted passwords. VGC reports that that the justification for the leak was that it would “foster more disruption and competition in the online video streaming space”.  

The leak also reportedly revealed the existence of a service that was in development called 'Vapor', which appears to be an Amazon Games Studio competitor to Steam which would be integrated with Twitch. Amazon and Amazon Games Studio is yet to comment on details of the leak.

With a major breach like this, you really should change your Twitch password - and any password associated with the account - immediately. It's also worth turning on two-factor authentication with your Twitch account, as this means that any attempt to log in to your account will be flagged via your mobile phone.    

We'll update this story as soon as Twitch confirms the extent of the leak.