In a massive data breach, Twitch has been hacked and its source code, including a lot of internal SDKs and AWS services that the platform uses. The leak also included an unreleased Steam competitor from Amazon Game Studios and details of creator payouts.
The attacker has posted about the breach on 4chan, an image bulletin board. The poster included a 125GB torrent that claims to have the entirety of Twitch and its commit history.
The hacker seems to have focussed more on Twitch’s internal tools and functions rather than the code that deals with user credentials, but that doesn’t mean credentials haven’t been leaked as well.
The big Twitch dump
The leak includes the following data:
- Roughly three years worth of creator payout details.
- The entire source code for the website with the commit history going back to “its early beginnings”.
- Source code for the mobile, desktop and game console clients.
- Code related to properietary SDKs and internal AWS services used by Twitch.
- Data on Twitch properties like IGDB and CurseForge.
- Twitch’s internal security tools.
- An unreleased Steam competitor from Amazon Game Studios.
The leak is labelled “part one”, which suggests that there’s more data than initially released. Video Game Chronicles was the first to report the breach and has said that an anonymous company source told that that the breach is, in fact, legitimate, and the data was obtained as recently as Monday.
Numerous sites have also popped up from the 4chan torrent that has collected and hosted the source code as individual repositories. Twitch has acknowledged the data breach and is “working with urgency to understand the extent of this.”
The company has been struggling to deal with the ongoing hate and harassment lately as creators on the platform push for action. The anonymous poster on 4chan also used the #DoBetterTwitch movement hashtag to promote the leak.
While the leak doesn’t seem to include passwords or other sensitive information on its users, it doesn’t mean that this information hasn’t already been obtained. We suggest changing your Twitch password and enabling two-factor authentication as soon as possible.
Twitch resets all Stream Keys
Out of “an abundance of caution” the company issued an update stating that it has reset all Stream Keys on the platform. Users can get their new stream keys the usual way.
Anyone using Twitch Studio, Streamlabs, Xbox, Playstation, Twitch mobile app and OBS with Twitch logged in shouldn’t need to take any action. Other users who need access to the stream key will have to adjust their settings manually.
Admission of breach
Twitch has put out a statement admitting that “some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.”
The company assured users that no login credentials have been exposed, at least at the time of writing the update and since Twitch doesn’t store full credit card numbers, they weren’t exposed.
Update [2:31 PM | 07/10/2021]: Added Twitch's response.
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars. You can reach out to Yadullah at [email protected], or follow him on Instagram or Twitter.