Twitch announced in a blog post yesterday that its users' account information may have been compromised. In response to the breach, they have reset all account passwords and stream keys. They've also disconnected Twitter and YouTube connections from accounts.
The compromised information could include usernames, e-mail addresses, passwords, and the last IP address used by each user. Users may optionally supply Twitch with their first and last names, phone numbers, addresses, and dates of birth. That information has been affected as well. Thankfully, Twitch doesn't store credit-card info.
So far, Twitch's response to the breach hasn't looked good, especially when it comes to communicating with its customers. One would assume a company recently purchased by Amazon to the tune of a billion dollars would have an incident response policy with a contingency prepared for the all-too-common occurrence of personally identifiable information being lost. Yet the press has uncovered that different information is being disseminated to different audiences. The e-mails sent out to their customers are not just a rehash of the blog post, and those e-mails aren't identical across Twitch's user base.
While we store passwords in a cryptographically protected form, we believe it’s possible that your password could have been captured in clear text by malicious code when you logged into our site on March 3rd.
That's not just a dump of customer information out of a database. That statement carries the far more serious implication that the attackers gained some measure of control over Twitch's infrastructure. Why did only certain people receive this information? Out of an abundance of caution, all Twitch users should assume the worst-case scenario applies to them.
Of course, Twitch is now forcing its users to change their passwords when they login to the site. I would suggest using a good, strong password that's unique to Twitch if you're one of those affected.