Twitch is sounding the alarm over a potential data breach. Hackers may have compromised the streaming video service and gained access to consumers’ personal data, including names and e-mail addresses.
In case you haven’t heard of Twitch, it’s officially an Amazon brand. In August, Amazon laid down nearly $1 billion in cash for Twitch, which caters to gamers who want to broadcast their virtual adventures online.
“We are writing to let you know that there may have been unauthorized access to some Twitch user account information,” Twitch said in a blog post. “For your protection, we have expired passwords and stream keys and have disconnected accounts from Twitter and YouTube. As a result, you will be prompted to create a new password the next time you attempt to log into your Twitch account.”
Good, Bad and Ugly
As is standard practice in today’s security world, Twitch is also recommending users change their passwords on any other Web sites where they used the same or similar credentials.
“In order to create a secure password, we suggest you use a long random character string with a mix of character types (letters, numbers, symbols),” the company said. “To make it easy to remember, feel free to use words from the dictionary with multiple uncommon string substitutions.”
Twitch gave examples of “bad,” “okay,” “good” and “best” passwords. “Applesauce1!” is listed as a bad password because although there are different character types, the password is predominantly a single word from the dictionary.
By contrast, Twitch rates “ILoveGreenApplesauce” as “okay” because there are multiple words and lots of characters, but the words are too common. An example of a “good” password is “!70v3Gr33n@pple$auce?” because it uses multiple words and lots of characters with uncommon substitutions. But Twitch said the “best” passwords use a reputable password manager with a random password generator.
A History of Lax Passwords
We asked Tyler Reguly, a security researcher at advanced threat protection firm Tripwire, for his thoughts on the breach. He told us Twitch has become a household name in the gaming community. As a Twitch user himself, he’s made use of the Twitter integration and is glad to see that those connections were immediately severed.
“Twitch has a history of very lax password requirements and [this] breach has made them rethink and then reverse their process,” Reguly said. “While they've listed what they consider to be ‘strong passwords,' they caved on the complexity requirements due to user feedback.”
As Reguly sees it, this speaks to a bigger problem with the company's user base -- some people simply do not care about passwords and password security. He suspects many Twitch users share passwords between the video games and game-related sites, and these users are likely the same ones who complain about password security.
“Hopefully, Twitch will consider two-factor authentication as an option for its users,” he said. “Video game vendor Blizzard has offered two-factor authentication for a while now and CCP Games will offer some in the near future.”
Who Are These People?
Based on some interesting statistics, Tripwire security researcher Lane Thames told us this data breach could lead to huge profits for the attackers. First, Twitch has over 50 million registered accounts, and that’s a lot of people, he said. But, who are these people?
“According to a survey conducted last year, the average age of a Twitch user is 21, with 76 percent of Twitch’s audience being 18 to 49 years old. Now, how does this age group manage their passwords?” he asked. “Another study suggests that 41 percent of Millennials and Gen-Xer’s never change their passwords and that 60 percent of Millennials and Gen-Xer’s reuse passwords across different Web sites.
What’s the implication? Thames offered one word: Profit. If these Twitch passwords are cracked, there could be many other account-level compromises as a result, he said.
What’s at Risk?
Ken Westin, security analyst at Tripwire, told us although the communication to customers states their passwords were encrypted, they may not have been secured using a properly implemented, one-way hash or they are resetting passwords out of an abundance of caution.
“Although the best practice is to use a different strong password for every Web site and service, this is generally not something the general public has implemented,” he said. “If the attackers were able to decrypt passwords they can potentially access other accounts of the affected users.”
Fed Up User:
Posted: 2015-03-25 @ 7:15am PT
A "reputable" password manager is a SPOF -- Single Point of Failure -- and a bigger tragedy waiting to happen. 2FA -- Two Factor Authentication -- is the way to go. Stop putting the burden on the user, accept them as they come and design the system around us instead of trying to mold us to your systems.