Twitch is an Amazon-owned game streaming company. The company announced that it had been hacked on the company blog, and also sent emails to concerned users. It then required users to change their password and increased the minimum number of characters in user passwords.
Twitch said all user passwords were to be reset after it detected possible unauthorized access to some Twitch user account information. According to the email sent to users, some cryptographic protections were used on passwords, but it wasn’t clear how strong they were. Twitch said it was possible passwords could have been captured in plain text by malicious code when users logged into the site on 3 March.
Various kinds of data could have been compromised, including credit card information, in particular card type, a truncated card number and the expiration date. Usernames and associated email addresses, passwords, the last IP address users logged in from, phone number, address and date of birth were also potentially stolen. With all that information, a hacker would have a good chance of stealing a victim’s identity.
Twitch users started to complain across Twitch’s social networks that they couldn’t remember their password, others said when they tried to change their passwords to anything less than 20 characters they weren’t allowed, due to the site’s restrictions. Users demanded they be allowed to use secure password and on the company Facebook page posted comments such as “if users want to use bad passwords, that’s their problem, not yours”.
Twitch caved to customer demands, announcing it would reduce the limit on minimum password length to eight characters minimum.
This back down shows that people are not getting the message about the need for secure passwords. Its been the case for a few years now that any 8 characters password no matter how random, how many numbers and special characters are used, can be hacked in seconds with a standard home computer with a games accelerator video card using freely available hacking software.
I would suspect that many of those same users demanding the return of the 8 character minimum password also use the same passwords across all their accounts making them prime targets for identity theft.