Twitch Outage: Passwords and Stream Keys Reset
Forum » General » Chit Chat
=TSR= Simo 24th Jun 2013

Joined: 14th Jun 2013
Rank: Site Admin
Posts: 1160
Likes 264

Twitch Outage: Passwords and Stream Keys Reset

TL;DR: DON’T PANIC – We were not hacked. Our web CDN made a requested change without obeying our caching ruleset, which resulted in some caching that had a (very, very) slim probability of revealing a limited amount of your account information. To be cautious, we’re changing stream keys and requiring a password reset on your next login. Finally, no payment information was exposed as we do not store any of this information.

We’ll continue to update regarding when the site will be restored, but we wanted to make sure that you change any passwords on other sites that are the same or similar to the password you use on Twitch.

In order to improve service, we were working to change how our pages were cached. We worked with our partner web CDN to make these changes. Unfortunately, during the update process our caching ruleset was not obeyed by our CDN partner, and some pages that should not have been cached were cached after this update. If you were logged in during this time, there was a very slim possibility that your user-specific information, such as stream key and password hash, were exposed in these improperly cached pages.

We believe very few credentials were exposed. We responded immediately by bringing the site down in order to halt any further potential information exposure. For the security of all of our users, we are forcing all users to reset their passwords on next login. You can do so immediately by visiting our password reset page and entering your username to send yourself an email to reset your password.

Before the site was shut down, you may have viewed some pages as another user. You could chat and view settings as that user, and this potentially exposed that user’s stream key, password hash, and email address. You could not change that user’s settings, however.

No payment information (credit cards or PayPal) was exposed, as we do not store any of this information in our systems and it does not go through the CDN.

Though we hash all passwords, we encourage you to change password(s) on any other sites on which you use the same or similar password(s). Password hashing can, with significant time and effort, be used to deduce the password itself. Since your password hash may have been exposed to other users, it’s important to make sure this password is not being used anywhere else (for example, your email account).

We apologize for the trouble and the downtime. We are bringing our services back up, starting with the website. Upon log in, you will be prompted to create a new password. You may experience some login issues over the next 24 hours as our database resets with your new session and stream key. Chat will return when we are certain the website is stable, and will send an update when we are finished.

When the site is back online, you can manage your stream key

We will follow up tomorrow with a further technical explanation of what occurred
Last Edit: 24th Jun 2013 by Simo
Forum » General » Chit Chat
Please login or register to reply.