Malicious software spread via chat forums on the video games streaming site Twitch can spend users' money without authorisation, it has emerged.
The Finnish security firm F-Secure said clicking on the malware links also enabled infiltrators to wipe accounts on the gaming shop, Steam.
Twitch is advising users not to use links from unknown sources.
The site, which was recently bought by Amazon for $970m (£597m) has more than 55 million unique monthly viewers.
The vulnerability originates from an automated account which, according to F-Secure, "bombards channels and invites viewers to participate in a weekly raffle for a chance to win things such as 'Counter-Strike: Global Offensive' items".
If viewers take the bait, they are invited to fill in their name and email address which then allows the malicious software to gain control, allowing it to:
- Take screenshots
- Add new friends in Steam (a gaming shop and community commonly linked to Twitch accounts)
- Accept pending friend requests in Steam
- Initiate trading with new friends in Steam
- Buy items, if user has money
- Send a trade offer
- Accept pending trade transactions
A spokesman for Twitch told the BBC that the vulnerability was the "first instance" he had seen, but that the site would "remind our community about not clicking on links from unknown sources just like they wouldn't on other social media sites".
He added: "Please note that we give all broadcasters the option to disable links in their chat which can easily prevent this."
Update: On Saturday, a spokesman said Twitch had only received two reports of the malware attack, and had blocked the link.