Twitch TV, the most popular site for streaming live gameplay, is currently undergoing unexpected extended maintenance. On Friday evening, Twitch took its site offline due to a caching issue with its CDN (content delivery network) which temporarily exposed the account information of a number of users. Twitch is in the process of resetting the passwords and stream keys of every user account on the site. It has been over six hours since this process begun, and Twitch is still offline. Twitch says the process is taking so long because “10s of millions of accounts resets takes quite a bit of time.”
Shortly after Twitch announced it would be resetting credentials, the community quickly started to speculate whether the site was hacked. They wouldn’t believe a problem with caching would warrant a site-wide reset of accounts. Fueling these allegations were claims of odd activity occurring on Twitch over the past few days, and some user’s ability to view credentials of other accounts without permission. Twitch addressed these claims in a follow up blog post by explaining exactly what went wrong and what users should do to ensure their private information remains secure.
“ We were not hacked,” wrote Jason Maestas, director of customer support at Twitch. “Our web CDN made a requested change without obeying our caching ruleset, which resulted in some caching that had a (very, very) slim probability of revealing a limited amount of your account information.”
The account information Maestas referred to includes hashed passwords, stream keys and email addresses. He also said that while this information was visible, it could not be edited. Maestas said payment information associated with credit cards or PayPal were not exposed because Twitch does not store that information. For precaution’s sake, it’s recommended users change passwords on any site that may be similar or identical to the one they used for Twitch.
Maestas also provided a more technical explanation on what happened. Even more technical details are expected to be given today.
“In order to improve service, we were working to change how our pages were cached. We worked with our partner web CDN to make these changes. Unfortunately, during the update process our caching ruleset was not obeyed by our CDN partner, and some pages that should not have been cached were cached after this update. If you were logged in during this time, there was a very slim possibility that your user-specific information, such as stream key and password hash, were exposed in these improperly cached pages.”
Source [Twitch Blog]