Phishing on Twitch
Phishing attacks on Twitch steal streamer and viewer credentials through fake affiliate program emails, malicious chat links, and third-party tool sites that harvest Twitch OAuth tokens.
Part of: Phishing
Last reviewed: 1 June 2026
Twitch credentials are valuable to fraudsters: a compromised account with a following can be used to broadcast scam content to a ready-made audience, and linked payment and payout information has direct financial value.
Phishing attacks target streamers specifically because their accounts represent significant audience reach, while viewers are targeted for access to linked payment methods and connected game accounts.
How this scam works on Twitch
Streamers receive emails appearing to be from Twitch offering Partner or Affiliate programme acceptance, requesting login to verify their eligibility. The linked page captures credentials and often the OTP required to complete login, enabling real-time account takeover.
Viewer-targeted phishing occurs via chat bot spam linking to fake reward pages, third-party extension sites that request Twitch OAuth logins, or impersonation messages claiming the user has won a channel prize.
Third-party overlay and alert tools — common among streamers — are targeted with malicious versions that, once authorised with Twitch credentials, capture the OAuth token and transmit it to attackers.
Common red flags
- Email claiming to be from Twitch requesting account verification or affiliate acceptance
- Chat link offering channel rewards requiring Twitch login
- Third-party tool requesting Twitch OAuth access with broad permissions
- Twitch notification about account changes you did not make
- Email address that is not from a twitch.tv or twitchinteractive.com domain
- Offer of Twitch Partner or Affiliate status that you did not formally apply for
How to protect yourself
- Enable two-factor authentication on your Twitch account
- Access Twitch only by navigating directly to twitch.tv — never through email links
- Regularly review authorised connected apps in your Twitch security settings and revoke unnecessary access
- Verify Twitch programme acceptance through the dashboard in your Twitch account, not through emails
- Only authorise third-party tools that appear on verified Twitch extension lists with established reputations
How to report it
- Report phishing accounts and spam bots via Twitch's report function in chat
- Forward phishing emails to [email protected]
- Report phishing domains to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish
Frequently asked questions
How does Twitch communicate official programme offers?
Twitch programme notifications (Affiliate, Partner) appear in your Creator Dashboard and may be accompanied by official emails from @twitch.tv addresses. Twitch never asks you to verify programme acceptance through an external link sent via email.