While I work in security, when it’s quitting time, I’m a gamer through and through. My home is littered with consoles from Sega Genesis and NES to PS3 and Xbox One. My last two PC purchases have been strictly gaming machines, and I even bought a game pad for my iPhone because I enjoy playing (and streaming) Asphalt 8. This year, I’ve casually streamed a few times because I took part in Extra Life, a charity fundraiser that involves a 24-hour gaming marathon. This means that when an email showed up stating that there was a breach at Twitch, I was a little concerned. Luckily, the username/password combination isn’t used elsewhere but I’m still always concerned when I see that my personal information has been breached. Since this has impacted my personal confidence in Twitch (I definitely won’t link it to my Twitter account again until they introduce two-factor authentication), I wanted to see what more experienced streamers and my fellow gamers had to say about this issue:
So, my initial thoughts are that I wonder what happened, and I usually reserve judgement until I hear more about what happened, what specifically was breached, and what steps they are taking to prevent it from happening again. At this time, I've only heard that they've been breached, and only vaguely been told what has potentially been stolen. If they don't explain more about what happened and what they're doing to prevent it from happening again in the future, my confidence will definitely be lost. —StrongFarce, Hearthstone Streamer
Longtime EVE Online streamer DaOpa said that Twitch generally has bigger problems than this breach and wondered if this was related to an issue last week when users could randomly access other users dashboards, which was discussed on Reddit. Another streamer, HLIBindustry, felt that Twitch’s response was exceptional: “10/10 would continue streaming." I have to say that I was impressed with their response, quickly updating their password policy. What really surprised me though, was the blow back to the new password policy on the Twitch Customer Portal (warning: Contains NSFW language) Stronger Password thread.
My colleagues were outraged that they had to change their password, and heavily debated ever using the service again. Also, they found labeling their password strength as 'so-so' to be offensive. —Console Creatures
I’ve already noticed numerous popular streamers back online, which, to some extent, seems to display a lack of concern over the breach. Then again, for some streamers, Twitch is a secondary (or even primary) source of income. I’ve seen streamers crowd source new PCs and share their Amazon wish lists. Some users even monetize their streams, charging for the HD versions and providing the SD versions for free. Another aspect to consider is the lack of options for streamers. My Xbox One has Twitch integrated. My favourite PC game, EVE Online, also contains Twitch integration. There are a few alternative services but I’ve yet to see an experience that compares to Twitch – most offer lower quality, fewer users browsing streams, or more ads. Twitch is also the go-to platform for esports so far, with league matches and tournaments frequently streamed complete with commentators and instant replay, which increases gamers' interaction with Twitch. Furthermore, some streamers didn’t seem to realize the full impact of the breach. One streamer noted that she wasn’t aware of the scale of the breach, thinking only her account was affected. Another streamer I spoke with had initially seen the notice but hadn’t paid it a second thought. After further consideration, he shared the following:
I would expect a lot more security from a company so huge. How can we feel safe when we get an email telling us our passwords have been compromised? —Starclanrs, RuneScape and League of Legends Streamer
It will be interesting to see the long-term consequences of the breach. Assuming that passwords were adequately secured, the biggest risk will likely be doxxing, a common practice in the video game community today where a user’s personal information is released along with the suggestion that the user deserves real life harassment for actions taken in a video game. According to the Twitch notification, leaked information could include:
- Username
- Email address
- Cryptographically protected password
- Last known IP Address
- Full name
- Phone number
- Address
- Date of birth
Longtime gamer and Twitch stream viewer Peter Melse also had concerns regarding the consequences:
Username and passwords, fine. They're a necessary evil, and with the use of a good password manager, easy to protect post-breach. It’s the personal information that bothers me. It's far more difficult to change your name and address *every* time a corporation discloses your data. At this point, I’ve heard nothing about compensating people for the identity theft implications.
Peter’s point also makes me wonder about paid Twitch options. There are Twitch Partners that are paid a portion of their advertising revenue via PayPal, which means that PayPal accounts may also be listed. Additionally, users can pay to subscribe to their favourite streamers; these payments can be made using credit cards on the Twitch site. I’ve seen no mention to any impact related to this credit card information and whether or not it is impacted. In the end, Twitch has already relaxed their new complex password policy and given the number of active streams, so it doesn’t look like anyone is too concerned about the breach and there appears to be little to no broad scale lost confidence in the streaming service.
