Our teams are working with urgency to investigate the incident.Īs the investigation is ongoing, we are still in the process of understanding the impact in detail. We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.
For all others, please refer to specific setup instructions for your software of choice.OBS users that have not connected their Twitch account to OBS will need to manually copy their stream key from their Twitch Dashboard and paste it into OBS. OBS users who have connected their Twitch account should also not need to take any action.Twitch Studio, Streamlabs, Xbox, PlayStation and Twitch Mobile App users should not need to take any action for your new key to work.
ĭepending on which broadcast software you use, you may need to manually update your software with this new key to start your next stream: Out of an abundance of caution, we have reset all stream keys. We have taken steps to further secure our service, and we apologize to our community. We take our responsibility to protect your data very seriously. We are contacting those who have been impacted directly. We’ve undergone a thorough review of the information included in the files exposed and are confident that it only affected a small fraction of users and the customer impact is minimal. The exposed data primarily contained documents from Twitch’s source code repository, as well as a subset of creator payout data.
We are also confident that systems that store Twitch login credentials, which are hashed with bcrypt, were not accessed, nor were full credit card numbers or ACH / bank information. Our team took action to fix the configuration issue and secure our systems. We’re constantly trying to improve the developer experience, so if you encounter any difficulty using Twitch embed, please provide feedback via Embed Feedback.As we said previously, the incident was a result of a server configuration change that allowed improper access by an unauthorized third party. Certain features, such as the ability to send chat messages, may be disabled if the iframe is obscured or not visible.ġ.4 Embeds must adhere to the recommended minimum height and width requirements outlined in their respective attribute tables. Embed domains that don’t specify this parameter will trigger a playback error message that will direct end users to click through to Twitch if they wish to watch that content.ġ.3 Embeds must utilize only Twitch-approved player elements and should not be obscured in any way by other page elements in whatever domain context they may appear.
For more information, see the embed API documentation above and our initial announcement of the requirement. Depending on your integration method, you may provide this as a query parameter in an iframe src attribute, or as a property on the JavaScript object you use to construct a new Twitch embed. Twitch reserves the right to revoke your ability to use our embeddable experiences, for any reason, at any time.ġ.1 Domains that use Twitch embeds must use SSL certificates.ġ.2 Twitch requires our embed users to verify where they use our products on the web using a special parameter: parent. Twitch may revoke embed usage for domains that are not in compliance. The use of any Twitch embeddable experience must comply with the requirements below and the Twitch Developer Services Agreement.