Twitch hit with massive data breach that exposes source code

News / Twitch hit with massive data breach that exposes source code

Twitch hit with massive data breach that exposes source code

Twitch, an Amazon-owned video game streaming platform giant, has suffered a giant data breach that reportedly amounts to more than 125 gigabytes of data.  

First news of the breach appeared on a message board on 4Chan today with a torrent link to the leaked data. While the files have not been authenticated, a company source that spoke to Video Games Chronicle (VGC) has confirmed their legitimacy. 

Furthermore, the source confirmed that Twitch is aware of the breach, the current hypothesis being the data was acquired by the threat actor as late as Monday.  

The anonymous hacker claims to have leaked the entirety of Twitch, including its source code and user pay-out information. The threat actor claimed that the motive for the hack was to “foster more disruption and competition in the online video streaming space” and that Twitch’s “community is a disgusting toxic cesspool”. 

VGC has verified the files are publicly available to download as the anonymous hacker said.

Scope of the data breach 

Reportedly, the leaked data from the breach includes: 

  • The entirety of Twitch’s source code. 
  • Creator pay-out reports from 2019 to 2021. 
  • Twitch’s comment history. 
  • Mobile, desktop and console Twitch clients. 
  • Proprietary SDKs and internal AWS services used by Twitch. 
  • Twitch internal ‘red teaming’ tools, used for cybersecurity exercises where staff act as ethical hackers. 

Also included in this leaked data was IGDB and CurseForge, as well as a not-yet-released project codenamed Vapor from Amazon Game Studios, an attempt at a Steam competitor. 

Some Twitter users who have been combing through the leaked data claim that encrypted passwords and stream keys may have also been compromised. 

Recommendations for Twitch users  

While, at time of publication, Twitch have not advised customers on what to do in response to this data breach, independent cybersecurity experts strongly recommend that, if you have a Twitch account, you should change your password and stream keys to safeguard your account. 

Furthermore, it’s also recommended that you enable two-factor authentication, so your phone will act as an additional layer of security by having it be a means to verify your identity via either SMS or an authenticator app. 

In order to enable two-factor identification, you should first: 

  1. Log onto Twitch, click on your avatar and choose Settings 
  2. Going onto Security and Privacy, scroll down to the Security settings. 
  3. Select ‘Edit Two-Factor Authentication’ to see if it’s already turned on. If not, follow the instructions and have your phone on hand in order to activate it. 

Public fallout for Twitch 

Twitch has had a history of coming under fire by creators and users for a multitude of problems, especially in regards to a perceived lack of action against troublemakers in the Twitch community. The site has often been accused of having a “toxic” environment, with many incidents of racism, homophobia and sexism running rampant

In September, Twitch streamers organised #ADayOffTwitch, urging fellow channels and viewers to partake in a 24 hour boycott of the site to protest hate raids. Hate raids, where channels acting in bad faith direct users to harass another channel, are rife on Twitch. 

Twitch have previously posted on Twitter they are “building channel-level ban evasion detection and account improvements to combat this malicious behaviour for months” and had rolled out an update to “better detect hate speech in chat”, although acknowledged that hate raids didn’t have “a simple fix”. 

Considering the supposed motive of this data breach, it seems their efforts in curbing toxicity on their platform were perceived as insufficient by the anonymous leaker. 

Another big factor in this data breach was the leaking of pay-out reports, which ranged from August 2019 to October 2021, for a large number of Twitch’s most popular streamers. Streamers like CriticalRole, Shroud and DrLupo were revealed to have earned millions of dollars from operating on the Twitch platform. 

Many of these apparent earnings have been shared on Twitter, although the integrity and legitimacy of some of these posted numbers has been further put into question as information in the files can be potentially altered by third parties once it’s downloaded.  

KnowNothingTV, for example, is strangely located among the list of top earners with an ‘income’ of “$0.00”. Some have argued the poster of these particular screenshots, KnowSomething, is a described “pseudointellectual and brother of @KnowNothingTV” and have made accusations of some potential third-party meddling with the data being posted. 

Regardless, with the seeming privacy of its popular streamers compromised and members of the public questioning if these amounts are justified, Twitch could face backlash from both its regular users and big-earners alike. 

It also doesn’t help that this isn’t the first Twitch has run into trouble with cybersecurity, being heavily criticised for how they handled their 2015 data breach, where their solution to accounts being hacked was making the minimum password length smaller, and the well-noted phenomenon of malicious actors using the site as a tool for fraud.  

Damages to intellectual property 

However, with this data breach, there are also consequences regarding Twitch’s intellectual property as well.  

Among the leaked files is allegedly the entire source code for the Amazon-based streaming platform. Source code leaks can be especially devastating for organisations as they allow threat actors to illegally gain confidential user and corporate information, helping them find new exploits from the data. 

More code leaks in the torrent include the Unity code for a game named Vapeworld, seemingly chat software based around Amazon Game Studios’ unreleased Vapor. Code leaks for games and related software are generally very bad because they facilitate corporate espionage and the effectiveness of piracy. 

The threat actor has stated that they intend to leak more data in the future and that the 125GB file was just the first part of these planned leaks, but didn’t share any further information on what exactly they planned to release at a later date. 

At time of publication, Twitch has not made any statement on the reported leak or advised users to take any action regarding their account security as of yet.

How secure is

your business?

Security test

How secure is

your business?

Security test