[TheRecord] Twitch says no user passwords or cards numbers were exposed in major hack

In the aftermath of a major security breach that came to light yesterday, Twitch has now issued a formal statement to assure users that no passwords or payment card numbers were stolen or leaked online.

“At this time, we have no indication that login credentials have been exposed,” the company said in a blog post today.

“Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed,” it added.

Twitch said it also reset all stream keys as a result of the incident. Users who stream on the site would most likely need to obtain a new one from their Twitch profile backends.

The Amazon-owned company said that while it is still investigating the breach, it believes the breach occured because of “an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.”

That third party collected data from Twitch’s backend systems and released “part one” via a torrent file shared on 4chan.

The data trove, downloaded and analyzed by The Record, contained the source code for the Twitch.tv portal, backend applications and programming libraries, unreleased projects, security and user management tools, but also details about payouts to all Twitch users part of the company’s creator program.

Image: The Record

The leaker promised to release more data but did not provide a timeline. The threat actor said they leaked the data as a response to Twitch’s poor handling of “hate raids,” bot attacks that have flooded the chats of top streamers with abusive content.

Twitch’s explanation for the cause of the breach is consistent with what Thomas Shadwell, who founded Twitch’s security team in 2014, told ISMG in an interview yesterday, namely that Twitch developers used security keys to authenticate, suggesting the leak could have occurred via a server issue, rather than a compromised employee account.

The post Twitch says no user passwords or cards numbers were exposed in major hack appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ZDNet] FCC mulls over new rules demanding carriers block spam robot texts at network level

All posts, ZDNet

The proposal hones in on rising rates of robot texts. Source: Read More (Latest topics for ZDNet in Security)

Read More

[SecurityWeek] The VC View: Enabling Business via IT Security

All posts, Security Week

The opportunity for the security industry is to build a remote-ready security program that is equally secure for remote and in-office workers read more Source: Read More (SecurityWeek RSS Feed)

Read More

[SANS ISC] Quick and dirty Python: nmap, (Mon, May 31st)

All posts, Sans-ISC

Continuing on from the “Quick and dirty Python: masscan” diary, which implemented a simple port scanner in Python using masscan to detect web instances on TCP ports 80 or 443.  Masscan is perfectly good as a blunt instrument to quickly find open TCP ports across large address spaces, but for fine details it is better to use a […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.