Twitch says user passwords and financial information were not exposed in the massive data breach that occurred last week, and that it is "confident" that systems that store encrypted login credentials were not accessed.
"The exposed data primarily contained documents from Twitch’s source code repository, as well as a subset of creator payout data," Twitch said. "We’ve undergone a thorough review of the information included in the files exposed and are confident that it only affected a small fraction of users and the customer impact is minimal. We are contacting those who have been impacted directly."
It also confirmed that the incident was the result of a server configuration error "that allowed improper access by an unauthorized third party." The issue has since been fixed.
The wording of the statement, specifically the reference to the examination of "information included in the files exposed," could be intended to give Twitch some wiggle room down the road should more damaging information come to light: The hacker behind last week's leak referred to it as "part one," implying that there's more to come in the future, the specific nature of which Twitch may not yet be aware of.
Still, it's about as good an outcome as Twitch could hope for given the extent of the breach, which totaled 125GB of data that included streamer payout information, the source code for the entire Twitch site, and news of an unreleased Steam competitor codenamed Vapor. Security experts were appalled by the scale of the hack: One said the breach was "as bad as it could possibly be."
Despite the relatively good news, reaction to Twitch's statement on Twitter was not uniformly positive. One user claimed there was a "myriad" of two-factor authentication requests the day after the hack, suggesting that some passwords were leaked; another pointed out that 10,000 streamers had their payout information leaked, and while that might indeed be a "small fraction" of Twitch's total user base, it's still a hell of a lot of people. And there's still some concern about the potential for fraud arising from the data that did get out.
I think what should be addressed, is the statement of '...were not accessed, nor were 𝗳𝘂𝗹𝗹 𝗰𝗿𝗲𝗱𝗶𝘁 𝗰𝗮𝗿𝗱 𝗻𝘂𝗺𝗯𝗲𝗿𝘀'My name, linked to lets say the last four numbers of my credit card; can cause many significant fraud issues.October 15, 2021
Twitch concluded by saying that it has "taken steps to further secure" the platform, although it didn't get into any specifics on that front, and apologized to its users for the breach.