Image copyright Twitch Image caption A growing amount of video content is hosted on the site
Twitch, the videogame streaming site, has been hit by a “potentially disastrous” hack – prompting parent company Amazon to warn “foreseeable” consequences.
In a statement on Twitter, Amazon said an unauthorised party had “looted Twitch user accounts” – though it added that the firm was working to reset passwords and restore accounts.
Twitch recently announced it was buying game-streaming rival Vidyard.
Amazon bought Twitch in 2014 for more than $1bn (£730m).
On Monday, the company apologised to its users after the breach was revealed.
“It’s not the kind of situation we want for Twitch and our users,” it said.
This is not the first time Twitch has been targeted. In 2017, we implemented additional protective measures for any data stored on Amazon S3 and better monitored activity over Amazon S3 for suspicious activity. Despite these changes, our AWS [Amazon Web Services] partner informed us of unauthorised activity on Twitch. They did not name the site. Some speculate it may be Esports. We take this matter seriously and are committed to working quickly to identify those responsible. We will also implement additional safeguards to increase security. Twitch has learned from previous breaches that not all information is safe and secure. Learn from this event to expand upon the measures we’re already taking to protect your information. We are committing to step-up security by: Monitoring activity on AWS for suspicious activity
Increasing the frequency and volume of AWS detection
Verifying, at the very least, that a specific user logged onto the AWS service at a specific time and from a specific location
Considering additional measures to ensure that employees and contractors have not made permanent AWS cloud accounts.
Twitch’s ‘Filly Game’
According to a post on the Discord forums, the breach has affected “a very small percentage” of the site’s accounts, which currently include more than 50 million registered users.
On Sunday, the group responsible for the hack – which goes by the name The League of Evil for/against – sent an email to its purported members.
They said: “On behalf of myself and my partner, we want to apologise for this incident.
“We had no intentions to put your data at risk. If we had been serious about this, we would have sent you all password verification emails instead of white outtakes from our days.”
According to the email, the compromised accounts have no stored payment information or messages, meaning the intrusion should not have allowed hackers to mine bitcoin – but Amazon has warned that the details were taken and may be used to sign into Amazon’s service.
Amazon said: “While it appears that none of your payment information was at risk, it is possible that your usernames and answers to authentication questions may have been obtained.
“While your account should now be safe, we recommend that you enter your account password to ensure your safety.”
In a blog post, Twitch’s director of community Brad Jefferson admitted the breach had “put many people’s information at risk, and we do not take this lightly”.
“We are doing everything we can to create safe and secure channels for affected Twitch accounts to be reconnected, regain access, and be reset.
“In the event that you’re not able to restore your Twitch account, we will work with you to find other ways to experience your gaming community.”
What is Twitch?
Twitch allows viewers to watch livestreams of games from users around the world, and also allows creators to hold live broadcasts of themselves.
The site was launched in 2010 by Justin Kan, one of several co-founders of Skype.