On October 6th, 2021, Twitch had allegedly been hacked and 128GB of data leaked online. This data is said to have include; streamers revenue, details of upcoming Steam competitor ‘Vapour’, and the website’s entire source code. Though we are not entirely sure at the moment what this means for streamers or the streaming service, in this article we are going to break down what we know about the breach and how this could potentially affect users.
Did Twitch Have a Data breach?
Twitch has in fact confirmed the data breach. Though they are yet to comment on the information which has surfaced on the internet, top Twitch streamers have revealed the revenue figures leaked are correct. In a post on Twitter, they said “Our teams are working with urgency to understand the extent of this.”
Though Twitch is not telling us exactly what has been leaked, the hacker reportedly posted 128GB of information to the online forum 4chan, calling the attack an attempt to “foster more disruption and competition in the online video streaming space” later calling the leak “part one.”
What Was Leaked in the Twitch Data Breach?
Though the 4chan post from the anonymous hacker has been removed, it might have been too late as many users took screenshots or even downloaded the torrents themselves. According to the hacker themselves, the data breach included source code for;
- Entirety of twitch.tv, with commit history going back to its early beginnings
- Mobile, desktop and video game console Twitch clients
- Various proprietary SDK’s and internal AWS services used by Twitch
- Every other property that Twitch owns including IGDB and CurseForge
- Twitch SOC internal red teaming tools
- How Golden Kappa works
The leak also came with creator payout reports, from 2019 until October 2021, detailing precise revenue streamers made before tax.
Though it is unclear what this means for our personal information such as email addresses, social security numbers, and phone numbers, Twitch has stated in a recent blog “At this time, we have no indication that login credentials have been exposed.” Given the circumstances and the claim of more leaks, I would not trust this information and urge all users to change their passwords and enable 2FA as a precaution. Twitch went on to add “Full credit card numbers are not stored by Twitch so full credit card numbers were not exposed.”
Why Was Twitch Leaked?
The hacker has stated that this attack was an attempt to “foster more disruption and competition in the online video streaming space”, they went on to conclude the post with #DoBetterTwitch.
From the way this post is phrased, this sounds like an attack on the platform rather than an attack on streamers themselves, so I would not be surprised if personal data from users of the platform are still kept safe if this hacker has got their hands on them. The hashtag, somewhat resembling the #TwitchDoBetter used to promote the protest of hate raids on Twitch, makes this seem as if it is a user tired of lack of action from Twitch to remove toxicities from the platform.
With the word “competition” being thrown out there, I believe what the hacker is trying to achieve here is for other services to use this leaked source code to create a more worthy competitor for Twitch. However, I do not believe that these toxicities stem from Twitch, and creating a new platform would merely just move the issue. You don’t have to be a huge content creator to know that you do not read the comment section so to speak, of course with Twitch given the nature of the platform this is hard to do especially with things like hate raids happening. The point is, every platform has some kind of toxicities, it’s just with Twitch it’s a little more apparent than you would have hoped – a new service would face the same fate.
How Was Twitch Hacked?
The question still remains, how does a Website as big and global as Twitch has 128GB of data stolen without any suspicions being raised? According to Twitch, “data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.”
Though it is unclear of the extent of data that has been stolen at this time, we strongly advise you to enable 2FA on your account and change your password immediately to ensure your safety. Keep your eyes peeled for updates on this situation on Twitch’s Twitter and this blog post. This is by no means the end of this from what this attacker is saying, though it’s safe to assume this is an attack on the streaming service rather than streamers themselves so I would like to think our data is safe at this time.