Jump to content

Amazon's Twitch Hacked, Caves To Angry User Demands For Less Secure Passwords

Recommended Posts

When a company is breached, the typical reaction is to increase security across the board. But Twitch, the Amazon-owned game streaming company, has decided to reduce the minimum number of characters in user passwords, thereby allowing users to have less secure logins, in response to customer complaints.

The attack was announced yesterday on a company blog, whilst emails were also sent to concerned users. There’s little detail on the extent of the attack; Twitch simply said all user passwords were to be reset after it detected possible unauthorized access to some Twitch user account information.

According to the email sent to users, some cryptographic protections were used on passwords, but it wasn’t clear how strong they were. And it said it was possible passwords could have been captured in plain text by malicious code when users logged into the site on 3 March.


Various kinds of data could have been compromised, including credit card information, in particular card type, a truncated card number and the expiration date. Usernames and associated email addresses, passwords, the last IP address users logged in from, phone number, address and date of birth were also potentially stolen. With all that information, a hacker would have a good chance of stealing a victim’s identity.

Users started to complain en masse across Twitch’s social networks, however. Some said they couldn’t remember their password, others said when they tried to change their passwords to anything less than 20 characters they weren’t allowed, due to the site’s restrictions. Texan Twitch customer Corbin Ellis told the company on their Facebook page that “if users want to use bad passwords, that’s their problem, not yours”.

Twitch caved to customer demands, announcing it would reduce the limit on minimum password length to eight characters minimum. Web security expert Troy Hunt told FORBES more than eight was surprisingly restrictive. “But what’s disheartening about this is that users have apparently baulked at creating passwords longer than eight characters so are clearly not getting the message on what constitutes a strong ‘secret’.”

Authentication expert Per Thorsheim said it didn’t make sense to lower the length requirement after a breach. “I’d say on the contrary in many cases. In this specific case they have dramatically lowered their requirements. From a security perspective

this could be justified by new and better ways of sending, [encrypting] and storing your passwords.”

If any more evidence was needed that the username-password paradigm is a flawed form of authentication, the Twitch breach has provided.

sursa: Amazon's Twitch Hacked, Caves To Angry User Demands For Less Secure Passwords - Forbes

si-au cam luat la mumu twitch...

Link to comment
Share on other sites

To protect its 100 million users, the live-stream video service for gamers says it has reset all passwords and disconnected user accounts from Twitter and YouTube.

Twitch, which enables gamers to live-stream their game play, has likely been hacked.

Twitch, which is owned by Amazon, said in a blog post Monday that it discovered possible "unauthorized access to some Twitch user account information." The company provided few details but did say that all user passwords have been reset and that accounts connected to Twitter and YouTube to promote live streams have been disconnected.

According to the Wall Street Journal, which obtained a copy of an e-mail that Twitch sent to affected users, Twitch said that passwords, e-mail addresses, user names, home addresses, phone numbers, and dates of birth may have been accessed. The company has not outright confirmed a breach, saying that it's still investigating.

Amazon bought Twitch last year for $970 million. Twitch is the most popular social video platform for gamers, allowing them to live stream game content and communicate with friends and fans. In February, Twitch boasted that its community now has more than 100 million members and 1.5 million broadcasters. In February 2014, Twitch accounted for 1.8 percent of all US Internet traffic at peak times, putting it behind Netflix, Google, and Apple, which combined account for more than 58 percent share. Meanwhile, Hulu, Facebook, and Amazon, among others, trailed Twitch.

If Twitch was hacked, it would be just the latest in a string of attacks on major companies over the past few years. In December 2013, retail giant Target said that hackers stole credit card data for more than 110 million customers. Major hacks reported in 2014 and 2015 include those on department store Neiman Marcus, restaurant chain P.F. Chang's, crafts-supplies chain Michaels Stores, hardware chain Home Depot, office-supplies chain Staples and insurance provider Anthem. One of the most notable breaches last year hit Sony Pictures. The hackers released private e-mails of Sony executives, as well as screenings of upcoming films.

The Twitch hack may have centered on simply getting data. By accessing the data, hackers could use it in a range of phishing attacks designed to target people through their e-mail addresses and get them to click on links to steal sensitive information. Attacks have also resulted in hackers selling user data on the Web's black market, allowing criminals to steal goods with another person's identity.

"Gaming sites have always been a lucrative target," ESET security specialist Mark James said Tuesday. "Not only do they represent gamers that may use the same login and passwords as similar sites but they also enable the possibility of other electronic goods to be stolen and sold elsewhere, in game items, in game gold."

Twitch said it plans to provide more details about the incident. Meanwhile, the company has urged its users to use strong passwords.

James agreed. "There's no perfect advice for when your details are stolen but changing your password is certainly one of the best," James said. "The very best is to strengthen the importance of having unique passwords for each and every login you have - that way if your password is found it's useless on another site."

Twitch did not immediately respond to CNET's request for comment.


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...