EDMONTON -- A data breach affecting live streaming e-sports platform Twitch has put tens of millions of user passwords, payment methods and personal information at risk.

Early Wednesday, an anonymous hacker claimed to have leaked 125GB of data from the gaming service online, exposing a significant amount of the company’s internal data and revealing information about Twitch's highest paid video game streamers.

But experts say while the leak could be incredibly damaging to Twitch’s reputation, users should be vigilant in protecting any personal information that could be stolen and used nefariously by cyber criminals.

“There is a possibility people could access that data and use that to try and perpetrate scams against users,” Brett Callow, threat analyst at anti-virus software firm Emsisoft, told CTVNews.ca by phone Wednesday.

“They should be on the lookout for the text messages, phone calls or emails that purported to be from Twitch or Twitch related.”


Callow says users should immediately change their Twitch passwords, along with any passwords for sites that share the same or similar password.

As an additional security step, Callow says users should turn on two-factor authentication for Twitch, which requires users to input both their password and a secondary code sent to their smartphone in order to log in.

Parents who have young Twitch users at home should help facilitate these changes and make note of any changes to other accounts.

“[Passwords] should be fairly long and complex. Most importantly, however, they should not be reused on other websites and whenever possible be protected by two-factor authentication,” Callow said.

Longstanding data shows that the most secure passwords are long, alphanumerical and hard to guess – in other words, don’t use words, phrases or numbers that someone could easily guess if they had your basic personal information (think: your birthdate).

If you have a hard time remembering your passwords, try stringing together three or four random words you’ll remember, which is often as strong as an alphanumerical password.


The Amazon-owned platform confirmed the leak Wednesday stating, “We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this.”

Both Twitch and Amazon declined to comment further; however, the website remains active for users.

Twitch, a streaming platform with more than 30 million average daily visitors, has become increasingly popular with musicians and gamers, along with millions of young users who log on to follow their favourite personalities.

“The fact that it is younger individuals, I think in itself is concerning just given the fact that were they as aware of cybersecurity? Were they using their parent's [financial] accounts as well? Do they follow all the safety protocols? Chances are. Probably not,” cybersecurity expert Ritesh Kotak told CTVNews.ca by phone Wednesday.

“And what we've learned is there's no such thing as delete on the internet. So once your information is out there, it's out there.”

While it remains unclear just how much user data was leaked, since the majority of the attention stemming from the leak seems to be directed at the platform’s inner workings, Kotak warns that things like security questions and billing information could have been left unencrypted.

He notes that users who used similar login information across multiple sites run the risk of becoming victims of “credential stuffing,” where cybercriminals use stolen usernames and passwords from one organization to access user accounts at another.

“It’s bad all around – young person or not – but significantly for younger people because this is really going to follow them for the rest of their life,” he said.

Kotak adds that parents worried about their own financial or credit card data should also turn on security alerts for their accounts as added security.​