Twitch, the popular video game streaming service acquired by Amazon last year for $970 million, has notified customers that their account information might have been accessed by an unauthorized third party.
The company hasn’t provided too many details on the incident. In a blog post published on Monday, Twitch informed users that their passwords have been reset and that they will have to set new ones the next time they log in to their accounts.
In an email sent out to affected customers, Twitch revealed that usernames, email addresses, “cryptographically protected” passwords, the IP address from which they logged in most recently, limited credit card information (card type, expiration date, and partial card number) have been exposed in the breach.
The attacker might have also gained access to names, phone numbers, dates of birth, and addresses, but only in the case of users who provided this information. The company says it does not store full credit or debit card data so payment information couldn’t have been accessed.
The notification emails received by some users also contain a note suggesting that attackers planted malicious code on Twitch’s website on March 3.
To prevent misuse, Twitch says it has expired passwords and stream keys, and disconnected Twitter and YouTube accounts.
Initially, Twitch wanted users to set new passwords that were complex and at least 20 characters long. However, after numerous users complained on social networks about the overly-restrictive password requirements, the company reduced the minimum length to 8 characters.
This isn’t the first time the credentials of Twitch users are exposed. Back in June 2013, the streaming service informed customers that their passwords and stream keys had been reset as a precaution after the company’s CDN partner mistakenly cached some pages that shouldn’t have been cached.