Gameplay-streaming upstart Twitch thinks hackers may have harvested its user accounts for private information – and has reset people's passwords as a precaution.
The San Francisco-based startup, which lets people stream videos of themselves playing games to online spectators – said it has also voided all stream keys, and disconnected accounts from Twitter and YouTube in an attempt to prevent further account hijacking. Users must to enter a new password the next time they log into Twitch.
Additionally, people are being advised to change their passwords on any other sites that shared the same login credentials as their Twitch account in order to prevent any further account breaches. El Reg would suggest that if you haven't already, this is a good excuse to adopt a unique password for every site.
According to warning emails sent by Twitch to affected users, hackers may have obtained:
Usernames; email addresses; the IP addresses from where people last logged in; their credit card types, truncated card numbers and expiration dates; first and last names; phone numbers; home addresses; and dates of birth.
The passwords are stored in a hashed form, but the hackers may have been able to plant code on the website on March 3 that was able intercept passwords in the clear as victims logged in, Twitch warns.
To El Reg, that sounds as though miscreants were able to compromise Twitch's webpages, snatch the passwords of any number of users logging in, and then log in as them to harvest their personal information from their account pages.
"There may have been unauthorized access to some Twitch user account information," Twitch told its gaming fans today.
"For your protection, we have expired passwords and stream keys and have disconnected accounts from Twitter and YouTube. As a result, you will be prompted to create a new password the next time you attempt to log into your Twitch account.
"We also recommend that you change your password at any website where you use the same or a similar password. We will communicate directly with affected users with additional details."
Twitch's announcement of the hacking makes no mention of the scale of the breach, nor how many accounts might have been compromised. A spokesman for the biz told El Reg it has nothing further to add. Last time we looked, in, er, mid-2013, Twitch.tv had 43 million viewers a month.
Amazon acquired Twitch last year in a $970m deal, reportedly outbidding YouTube owner Google. ®