IGN Twitch Hack: How Leaked Restream.io Credentials Hijacked a Major Media Channel

On 2 May 2026, gaming media giant IGN was hacked in a way that should worry every organization relying on third-party streaming services. At approximately 22:15, an unauthorized livestream went live on IGN’s official Twitch channel. Viewers reported it to Twitch moderators within minutes, and by 23:00 the channel had been taken down. By the time it was restored, IGN’s video archives had been wiped as part of the recovery.

It was a quiet incident by breach standards, with no reported data theft or account exploitation beyond the stream hijacking. But the mechanics behind the IGN Twitch hack deserve a closer look, because they expose one of the most underestimated threats facing modern organizations: the long, quiet half-life of credentials harvested by infostealer malware.

How was IGN’s Twitch hacked?

The attacker did not breach IGN’s infrastructure directly, exploit a zero-day or phish an employee. They simply logged in using legitimate credentials.

IGN, like a vast number of media organizations and streamers, uses Restream.io to manage its livestreams. Restream is a paid RTMP relay service that takes a single stream and pushes it out to Twitch, YouTube, and other platforms simultaneously. It also offers conveniences like unified chat across platforms and placeholder content if the RTMP feed drops. Setting up an nginx proxy for RTMP yourself is a hassle, so Restream has become enormously popular in the streaming world.

That popularity is exactly what makes it a high-value target. When a Restream account is compromised, the attacker does not just get access to one platform, but can reach every channel that account broadcasts to.

IGN Twitch stream hijacked by a white hat hacker

In IGN’s case, the credentials in question belonged to the senior video director responsible for managing the account. Both the Restream login and the associated employee email had appeared in infostealer dumps, including alien_txtbase leaks, as far back as April 1. The credentials sat in those dumps for roughly a month before someone found them and decided to use them.

Restream.io credentials identified in alien txtbase infostealer dumps

This detail challenges a common misconception that if stolen credentials are not used immediately, the risk diminishes over time. In reality, the opposite is often true. The 2024 Snowflake customer attacks, which affected major brands including Ticketmaster and AT&T, were traced back to credentials harvested by infostealer infections dating as far back as 2020. Mandiant’s investigation found that at least four in five of the credentials used had been previously exposed.

Why third-party services are high-risk

The compromised account was not a part of IGN’s central infrastructure, but an SaaS service that the media company uses. This means an account separate from IGN’s main network, managed under a credential that may not have been governed by the same policies, monitoring, or rotation schedules as primary corporate accounts.

Most organizations have decent visibility into their own Active Directory (AD) or identity provider. Far fewer have a clear inventory of every third-party service their employees have signed up for, what credentials are in use, how strong those passwords are, or whether any have been exposed in past breaches.

Shadow IT and weak credential hygiene compound the risks; an attacker does not need to come through the front door if a side door has been propped open by a forgotten Restream account, marketing automation tool, or freelance project portal.

Regulatory frameworks have started to catch up. NIST SP 800-63B explicitly recommends checking passwords against lists of compromised credentials and prohibiting their use. The UK’s Cyber Essentials scheme requires organizations to defend against the use of breached passwords as part of its password policy controls.

PCI DSS 4.0 goes further, pushing organizations toward continuous credential validation rather than periodic rotation, with the expectation that organizations know, on an ongoing basis, whether the passwords in active use across their environment have been exposed.

Auditing your own credential exposure

Knowing whether your credentials are exposed is now a requirement in many cases, but organizations often have no straightforward way to check. Specops Password Auditor is a free, read-only tool that scans your AD environment and produces a clear report on password related vulnerabilities. That includes accounts using passwords found in known breached password lists, accounts with identical passwords, accounts with passwords that do not meet your policy, stale admin accounts, and password policies that fall short of current best practice.

The Auditor scan does not change anything in your environment, but it produces a snapshot of password hygiene that is often the missing first step in any remediation effort.

For ongoing protection, Specops Password Policy with Breached Password Protection applies the same principle in real time. It continuously checks AD passwords against a daily updated database of over 6 billion compromised credentials, blocking users from setting or keeping passwords that appear in known breaches or infostealer dumps. The IGN Restream credentials sat in breach data for a month before they were exploited. A continuously enforced check would have flagged them long before the livestream went sideways.

If you’re looking to evolve your identity security strategy to include continuous breached password screening, contact Specops today.