A wave of Twitch creators reported that unknown attackers have been able to access their accounts and modify payout settings. This happened even with two-factor authentication (2FA) enabled.
Creators started posting about the issue over the past couple of days. They were posting that they received emails warning that their payout method had been changed, while some discovered this change manually in their payout settings. None of them seems to have received any notifications about login attempts with enabled 2FA.
Zach Bussey, a longtime Twitch industry reporter, posted about this issue and shared posts from affected users.
Twitch has not yet published any report or explanation of the cause, scope, or mitigations, but the company has acknowledged the issue and confirmed that they’re investigating it.
The mechanism of account takeover is unknown, and it could be stolen session cookies, compromised creator emails, phishing, malware, or compromised third-party app connections.
Not long after this attack took place, Twitch updated its Cookie Notices that describe various types of cookies and their use. This is not even an indirect confirmation of anything, but it seems that the company thinks the attack was made through stealing session cookies.
Related – AI VTuber Neuro-sama becomes Twitch’s Most Subscribed Channel in January 2026
This is not the first time Twitch creators have had issues with payout settings being altered by unknown hackers. In 2021, streamers publicly reported attackers changing payout information to redirect payouts. Back then, the company received lots of criticism because it could not recall successful payouts made to these fraudulent payment destinations.
The immediate impact of the current situation looks to be exactly the same: none of the creators reported loss of access or even compromised stream keys, like it otfentimes happens with the crypto scam streams. Still, if an attacker can modify payout destinations, the risk is direct financial loss, particularly if the change isn’t noticed before the next payout cycle.
It’s especially stressful because 2FA is usually perceived as a reliable step to secure accounts. Let’s hope Twitch fixes this issue and then gives us a report on how attackers are getting around protection, and what remediation is available for creators whose payouts were already redirected.
