Twitch said in emails to those potentially affected that their password, email address, user name, home address, phone number, date of birth, some credit card information (such as card type and expiration date, since Twitch does not store credit card numbers) and the IP address of the computer they last logged in from may have been compromised. The hack was most likely conducted through password capture.
Twitch stated that they store passwords in a “cryptographically protected form” but that they believe the passwords had been captured in clear text by malicious code during logins to the site on March 3rd. They added that they were expiring passwords and stream keys and discontinuing accounts from Twitter and YouTube in an effort to control the breach. Users would be prompted to create a new password upon login.
“We also recommend that you change your password at any website where you use the same or a similar password,” the blog states. “We will communicate directly with affected users with additional details.”
With the wealth of personal identifying information possibly exposed, the risk of identity theft in this case is high. Yet, some consumers seemed less concerned about the possibility of fraud and instead took to social media to contest Twitch’s new password policy. Many stated they couldn’t be expected to remember long, complex passwords, and that Twitch’s sudden requirement for a 20-character code was overly restrictive. According to Forbes one consumer stated on the company’s Facebook page, “If users want to use bad passwords, that’s their problem, not yours.”
Strangely, instead of maintaining increased security across the board, Twitch has caved to the consumer response that their new password requirements were too stringent and allowed users to create less secure passwords, with an eight character minimum. Authentication expert Per Thorsheim told Forbes that lowering the length requirement after a breach made little sense. “In this specific case they have dramatically lowered their requirements,” he said, adding that an increase in encryption levels or password storage security might have justified the decreased length, but it doesn’t seem that any such steps were taken.
Web security expert Troy Hunt also spoke to Forbes, stating that while more than eight characters might be considered restrictive, the consumer backlash showed that the public is still not “getting the message” on why strong passwords are needed.
Identity theft is a serious crime that can wreak havoc on people’s lives. It is essential, particularly after a data breach in which you might be affected, to take steps to secure your information. This means changing passwords to ensure uniqueness and complexity, and keeping your passwords safe. You should never decrease the amount of protection you have against identity theft, no matter how frustrating it might seem to create a longer password.