A massive breach at one of the world’s biggest gaming platforms earlier this month may not be as bad as first thought, with the firm claiming that no passwords were exposed in the incident.
Security experts roundly criticized Amazon-owned Twitch after an anonymous user posted a 125GB torrent link to 4Chan, and claimed to have leaked every digital property owned by the firm.
However, in an update on Friday, Twitch claimed that user passwords were not impacted.
“We are also confident that systems that store Twitch login credentials, which are hashed with bcrypt, were not accessed, nor were full credit card numbers or ACH / bank information,” it added.
“The exposed data primarily contained documents from Twitch’s source code repository, as well as a subset of creator pay-out data. We’ve undergone a thorough review of the information included in the files exposed and are confident that it only affected a small fraction of users and the customer impact is minimal. We are contacting those who have been impacted directly.”
At the time, the attacker claimed to have all of the firm’s source code; mobile, desktop and console clients; proprietary SDKs and internal AWS services; and “every other property” it owns, including IGDB, CurseForge and an unreleased Steam competitor, dubbed “Vapor.”
Also reportedly compromised were red teaming tools used by the Twitch’s SecOps function and information on how much the firm paid its most popular streamers.
That prompted some to argue the incident was “as bad as it gets” from an infosecurity perspective. Others were dumbfounded that an individual could have stolen so much sensitive information without setting off any internal alarms.
Although only a small number of users appear to have been impacted by the incident, the scale of the IP breach would still indicate that Twitch’s security posture was not up to par.
The unauthorized third party in question was able to access the data after a server misconfiguration, according to Twitch.