Site Outage: Passwords and Stream Keys Reset
TL;DR: DON’T PANIC — We were not hacked. Our web CDN made a requested change without obeying our caching ruleset, which resulted in some caching that had a (very, very) slim probability of revealing a limited amount of your account information. To be cautious, we’re changing stream keys and requiring a password reset on your next login. Finally, no payment information was exposed as we do not store any of this information.
We’ll continue to update regarding when the site will be restored, but we wanted to make sure that you change any passwords on other sites that are the same or similar to the password you use on Twitch.
EXPLANATION: In order to improve service, we were working to change how our pages were cached. We worked with our partner web CDN to make these changes. Unfortunately, during the update process our caching ruleset was not obeyed by our CDN partner, and some pages that should not have been cached were cached after this update. If you were logged in during this time, there was a very slim possibility that your user-specific information, such as stream key and password hash, were exposed in these improperly cached pages.
We believe very few credentials were exposed. We responded immediately by bringing the site down in order to halt any further potential information exposure. For the security of all of our users, we are forcing all users to reset their passwords on next login. You can do so immediately by visiting our password reset page and entering your username to send yourself an email to reset your password.
Before the site was shut down, you may have viewed some pages as another user. You could chat and view settings as that user, and this potentially exposed that user’s stream key, password hash, and email address. You could not change that user’s settings, however.
No payment information (credit cards or PayPal) was exposed, as we do not store any of this information in our systems and it does not go through the CDN.
Though we hash all passwords, we encourage you to change password(s) on any other sites on which you use the same or similar password(s). Password hashing can, with significant time and effort, be used to deduce the password itself. Since your password hash may have been exposed to other users, it’s important to make sure this password is not being used anywhere else (for example, your email account).
We apologize for the trouble and the downtime. We are bringing our services back up, starting with the website. Upon log in, you will be prompted to create a new password. You may experience some login issues over the next 24 hours as our database resets with your new session and stream key. Chat will return when we are certain the website is stable, and will send an update when we are finished.
When the site is back online, you can manage your stream key here.
We will follow up tomorrow with a further technical explanation of what occurred.
FAQ Q: I thought CDNs only stored stuff like images and video. Why do we need to reset our passwords?
A: Like many sites, we use a web CDN to cache certain frequently-accessed web pages for faster service (for example, the directory). During this rollout, our web CDN did not follow our caching ruleset and cached some pages that potentially allowed access to some users’ information. We’ll go into more details in a follow-up post.
Q: If you weren’t hacked, how come there was a “hackflag.png” on your homepage?
A: As you can see from the “Justin.tv” mentions, the maintenance page is outdated and hasn’t been updated, as we haven’t had to take the site down for emergency maintenance in quite some time.
Here’s an old picture of our engineering team during “Hack Week”, an annual event where our developers get to work on any cool project for Twitch they can think up, that shows the origin of the “Hack Flag.”
After we had fixed the issue, and while we were waiting for it to propagate, we took a couple of seconds to give the maintenance screen a little facelift.