By Jasper Hamill
An anonymous hacker has leaked a huge amount of sensitive data from Twitch, including its full source code and details of the top-paid streamers.
The unnamed attacker shared a link to a torrent file containing 125GB of data on 4chan yesterday.
They said the purpose of the leak was to “foster more disruption and competition in the online video streaming space” and slammed the Twitch community as “a disgusting toxic cesspool”.
“We have completely owned them, and in part one, are releasing the source code from almost 6,000 internal Git repositories,” the hacker wrote on 4chan.
"Jeff Bezos paid $970 million for this, we're giving it away FOR FREE. #DoBetterTwitch.”
The leaked data includes:
- Details of payouts made to creators since 2019
- Twitch source code with history “going back to its early beginnings”
- Source code from Twitch client apps for mobile, desktop, and games consoles
- Twitch’s internal security tools
- Code relating Twitch software development kits and internet AWS services
- Details of a competitor to Steam built by Amazon Game Studios
- Information on other companies owned by Twitch, such as IGDB
Twitch has now reset all stream keys “out of an abundance of caution”. In a blog post, it wrote: “We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party. Our teams are working with urgency to investigate the incident.
“As the investigation is ongoing, we are still in the process of understanding the impact in detail. We understand that this situation raises concerns, and we want to address some of those here while our investigation continues.”
“At this time, we have no indication that login credentials have been exposed. We are continuing to investigate.”
“Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed.”
The leak revealed that Twitch has paid 81 streamers more than $1 million since August 2019.
The highest-earning stream on Twitch is Critical Role, which features a team of voice actors playing Dungeons & Dragons, which has allegedly earned more than $9.6 million in Twitch payouts over the past two years.
Other streamers making the big bucks include Overwatch player xQcOW, Counter-Strike streamer summit1g, Fortnite gamer Tfue and Nickmercs, co-owner of FaZe Clan.
The top 10 highest-earning Twitch streamers:
- CriticalRole – $9.6 million
- xQcOW – $8.5 million
- summit1g – $5.8 million
- Tfue – $5.3 million
- NICKMERCS – $5.1 million
- ludwig – $3.3 million
- TimTheTatman – $3.3 million
- Altoar – $3.1 million
- auronplay – $3.1 million
- LIRIK – $3 million
The leak also contains details relating to the development of Amazon Vapor, a competitor for the video game platform Steam, which incorporates elements of Twitch into a new website.
Security experts are now describing the leak as the largest of all time. All Twitch users have been urged to reset their passwords and two-factor authentication.
James Smith, Head of Offensive Security at Bridewell Consulting, said: “The fact the hackers managed to steal the company’s source code is extremely concerning. Given the way in which the hacker published the data online suggests the motivation for the attack is either to raise notoriety or make a statement in revenge for the company’s lack of action against hate raids.
“It’s still too early to know exactly how the breach occurred, however, the company needs to balance the need to communicate with customers quickly, against the need to ensure information communicated is accurate.
“Twitch is probably trying to understand the scale of the attack, how it occurred and whether the attackers have access to their systems via a backdoor to launch further attacks in the future. But it needs to provide some level of assurance that the incident has been or is being dealt with to its users.”
“The problem is working out what has been taken, and when, can be very challenging for many organizations which is why businesses need to shift from a security monitoring and notification approach to one focused threat detection and response, known as MDR.”
Twitch has been at the center of controversy recently over “hate raids” in which groups of people target minority streamers and bombard them with abuse.
Before the hack, it tweeted: “Hate spam attacks are the result of highly motivated bad actors and do not have a simple fix. Your reports have helped us take action – we’ve been continually updating our sitewide banned word filters to help prevent variations on hateful slurs, and removing bots when identified.
“We’ve been building channel-level ban evasion detection and account improvements to combat this malicious behavior for months. However, as we work on solutions, bad actors work in parallel to find ways around them – which is why we can’t always share details.”
