Naked Security Naked Security

Twitch admits exposing user messages after archiving error

Games streaming giant Twitch has admitted accidentally exposing some users’ messages to other users as it shut down its legacy in-house messaging system in May.

Games streaming giant Twitch has admitted accidentally exposing some users’ messages to other users as it shut down its legacy in-house messaging system in May.
According to an email sent last week, a “bug in the code” written to archive old messages caused a “small percentage” of messages to be included in the wrong archives. Primarily, these were:

Streamers sending out mass communication to subscribers for example, and the majority of messages that were unintentionally provided to another user fall into that category.

Judging from user reaction on Twitter, this is accurate, which would mean that the mis-archived messages were promotional (Twitch being a streaming service on which users promote their own content).
Which isn’t to say that the content of these promotional messages, or replies, couldn’t also contain sensitive information. Said one Twitter user:


It’s not clear how many individual users were exposed, but the total number of messages appears to be modest. Given the in-house system’s deprecation in 2015 these would have related to the period before this date.
The incident does not affect the company’s current messaging system, a Skype-like desktop app developed from Curse, which it bought in 2016. This includes a facility to send private messages called ‘Whispers’, which also don’t appear to be caught up in the archive issue.
Who is affected? So far, the company has said the following:

We have notified users via email and provided them the affected messages for review.

If you received that email, you’re on the list. Logged-in users can also check by looking for a message in the archive section.
The company hasn’t explained why it took from early May until mid-August to start notifying users of the botched message archiving.