Twitch has definitively stated that passwords weren’t exposed in last week’s major data breach.
“Twitch passwords have not been exposed,” Twitch said in an update to its webpage about the security incident. “We are also confident that systems that store Twitch login credentials, which are hashed with bcrypt, were not accessed, nor were full credit card numbers or ACH / bank information.”
Last week, what appeared to be leaked source code for Twitch hit the web, and in Friday’s update, Twitch confirmed that was the case. “The exposed data primarily contained documents from Twitch’s source code repository, as well as a subset of creator payout data,” the company said. Twitch claims that the information exposed “only affected a small fraction of users, and the customer impact is minimal,” and it says it is following up directly with those who were affected.
Sources who spoke to The Verge last week painted a picture of a company with bad security practices and detailed a previously unreported security problem that took place in 2017. On Thursday, Vice reported on another massive hack that happened in 2014. In Friday’s update, Twitch said it has “taken steps to further secure our service.”