Update: Twitch Source Code, Passwords, Creator Payouts, And More Leaked In Huge Security Breach
A hacker who posted over at 4chan claimed to have obtained source code for the website, mobile, and console versions of Twitch. In addition, the hacker gleaned information regarding the unannounced “Vapor” digital storefront from Amazon Game Studios that would compete directly with Steam and the Epic Game Store. As if that wasn’t enough of a blow to the Amazon-owned Twitch, the hacker claims to have captured payout details for some of the platform’s biggest creators.
Video Games Chronicle, which first reported on the leak, says that it has verified the information contained within the 125GB torrent file to be legitimate. Additionally, the leak contained encrypted passwords for user accounts. So, if you’re a Twitch user, it’s highly recommended that you change your password and enable two-factor authentication to provide an extra layer of security.
The gross payouts of the top 100 highest-paid Twitch streamers from August 2019 until October 2021: pic.twitter.com/3Lj9pb2aBl
— KnowSomething (@KnowS0mething) October 6, 2021
According to the publication, Twitch is aware of the data breach but hasn’t made a public statement yet. Instead, the company is probably working overtime to deal with any potential legal and user privacy implications from the leak, especially regarding the exact payout amounts tied to individual streamers.
Here is the complete list of information contained within this massive Twitch leak, according to Video Games Chronicle:
- The entirety of Twitch’s source code with comment history “going back to its early beginnings”
- Creator payout reports from 2019
- Mobile, desktop and console Twitch clients
- Proprietary SDKs and internal AWS services used by Twitch
- “Every other property that Twitch owns” including IGDB and CurseForge
- An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios
- Twitch internal ‘red teaming’ tools (designed to improve security by having staff pretend to be hackers)
Perhaps more troubling for Twitch is that this leak is listed as “Part 1.” That means that the original leaker is likely ready to follow up with even more intellectual property tied to Twitch and Amazon.
Twitch is currently dealing with a pervasive hate and harassment problem on its platform, which has lead to “walkouts” by some of its top creators. The company has attempted to thwart these so-called hate raids. “No one should have to experience malicious and hateful attacks based on who they are or what they stand for,” said Twitch in a Twitter thread in late August. “This is not the community we want on Twitch, and we want you to know we are working hard to make Twitch a safer place for creators. Hate spam attacks are the result of highly motivated bad actors, and do not have a simple fix.”
It’s interesting to note that the hacker used the #DoBetterTwitch hashtag when releasing today’s data dump.
Updated 10/6/2021 @ 1:36 pm ET
Twitch confirmed the breach with the following tweet:
We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.
— Twitch (@Twitch) October 6, 2021