Live video streaming service Twitch has been hit by a massive hack that exposed 125GB of the company’s data. In a 4chan thread posted (and deleted) Wednesday, an anonymous user shared a stream file of the data dump. The leak contains the company’s source code and details of the money owed by Twitch developers.
Twitch admits breach but unsure of “extent”
In a 4chan post spotted by Ars today, an anonymous user claimed to have leaked 125GB of uploaded data from over 6,000 Twitch Git repositories. The conference poster mocked Amazon’s acquisition of Twitch, writing, “Jeff Bezos paid $970 million for this, it was given for FREE.”
The hacker wrote that the reason for the leak was to cause disruption and promote competition between video streaming platforms. The hacker also said that “the Twitch community is a disgusting, toxic cesspool.”
Twitch has admitted to the breach but did not respond to Ars’ questions. It appears that even Twitch doesn’t know the full extent of the breach, as the company is still working out the details:
We can confirm a crime has occurred. Our teams are working with urgency to understand the extent of this. We will update the area as soon as additional information becomes available. Thank you for bearing with us.
– Twitch (@Twitch) October 6, 2021
Update: In the tribe advice posted yesterday at 10:30 p.m. PT, Twitch blamed the data disclosure on “subsequently logged server configuration changes by a malicious third party.” As the investigation continues to fully evaluate the impact, Twitch states at this time there is no evidence to show that the login credentials were leaked. In addition, Twitch does not store full credit card numbers and as such verifies they are not, and cannot be disclosed.
Earnings of top Twitch creators revealed
The same thread on 4chan also claims to show “developer pay reports from 2019 to now. Find out how much your favorite stream is really doing!”
Notably, the 125GB archive is titled “Part One,” hinting at the possibility of future leaks.
A small box of data found by Ars shows the earnings of the top 10,000 Twitch users next to their usernames. There is an updated list posted about the creator’s game Sinoc, and a Twitter user who analyzed the leak shared the details of the payments:
An anonymous Twitch source confirmed Chronicle Video Games that the leaked data, including the Twitch source code, is legitimate. According to the company’s source, the data was received as recently as Monday.
A 4chan poster says the leaked data dump contains:
- All twitch.tv source code, including history from the beginning
- Creator payment reports starting from 2019
- Mobile, desktop, and video game console Twitch clients
- Proprietary SDKs and internal AWS services used by Twitch
- Data from “every other property owned by Twitch,” including IGDB and CurseForge
- Information about the unreleased Steam competitor (“Vapor”) from Amazon Gaming Studios
- Twitch’s “red zone” tools are used by SOC (security) teams
The leak was also reported in the Unity source code for a game called “Vapeworld.”
The portions of the leaked archive are large and contain large ZIPs, and it may take several days before you fully understand the nature of the breach:
Some Twitter users also said they found encrypted passwords in the dumps and are urging Twitch users to enable two-factor authentication and change passwords as security.
The hack puts more bad news on Twitch’s plate and follows a recent and long-awaited public response to hate speech cases. During such attacks, profanity and hate speech are poured into the site’s popular chat feeds by users and bots.
Interestingly, NBC technology investigative reporter Olivia Solon said that all of Amazon’s store systems were hit by one. network disruption last night, although the company will not confirm if this event has been linked to the Twitch hack.
According to Solon:
Amazon store workers across the US were unable to work for at least two hours last night because their internal software crashed and none of their scanners would work.
All Amazon will say is that it’s a “fast-resolving network outage.”
Amazon’s 2014 acquisition of Twitch maintained that the entity would operate “independently” from Amazon. As such, whether Twitch runs its own server stack or uses Amazon’s rack space is unclear.