

Twitch.tv account information leaked - SG-

We are writing to let you know that there may have been unauthorized access to some of your Twitch user account information, including possibly your Twitch username and associated email address, your password (which was cryptographically protected), the last IP address you logged in from, and any of the following if you provided it to us: first and last name, phone number, address, and date of birth.<p>For your protection, we have expired your password and stream keys. In addition, if you had connected your account to Twitter or YouTube, we have terminated this connection.<p>You will be prompted to create a new password the next time you attempt to log into your Twitch account. If applicable, you will also need to re-connect your account to Twitter and YouTube, and re-authenticate through Facebook, once you change your password. We also recommend that you change your password at any other website where you use the same or a similar password.<p>We apologize for this inconvenience.<p>The Twitch Team<p>---<p>I posted the email text I received instead of the notice on their blog:<p>http:&#x2F;&#x2F;blog.twitch.tv&#x2F;2015&#x2F;03&#x2F;important-notice-about-your-twitch-account&#x2F;<p>The email version includes more specific information on what was leaked (personal information on top of e-mail address&#x2F;password).
======
Kopty
This apology (if you can call it that) annoyed me so much. At no point in this
entire e-mail did they own up to their negligence and security failure, nor
have they reassured us about steps being taken to make sure this doesn't
happen again. Thoroughly disappointed.

~~~
KhalPanda
I assume this was more of a notification, and hopefully there will be more of
a 'post-mortem' yet to come.

~~~
SG-
I doubt it, the public blog post has less details on what breached compared to
the private emails they sent out.

I'm not so mad about the password being stolen, but the combination of my
e-mail address and my DOB which can be used for a lot of things (sites with
bad password recovery). I suppose it's time I start a system where I provide
fake DOB.

------
Scoundreller
> "your password (which was cryptographically protected)"

I'm sure everyone here is dying to know what "cryptographically protected"
means.

Does MD5 count?

~~~
elithrar
> I'm sure everyone here is dying to know what "cryptographically protected"
> means.

Ditto. I tweeted them, but not hopeful for a reply.

The words "cryptographically protected" are borderline 'weasel words' given
that many organisations have conflated 'cryptographic' with 'cryptographic
hash' (NOT suitable) instead of a proper key derivation function (KDF)
designed for the purpose.

~~~
Scoundreller
I can't wait for the day that companies start saying they turn users'
passwords into a "digested hash".

