Twitch suffered a huge data leak late last week, with more than 100 gigabytes of data, reportedly taken from 6000 internal Twitch GitHub repositories, published on bulletin board site 4chan.
The Amazon-owned gaming, esport and music streaming platform confirmed the leak in a company blog, saying that the data was exposed to the internet through “an error in a Twitch server configuration change that was subsequently accessed by a malicious third party”.
The company is continuing its investigations and has said it doesn’t appear that login credentials have been exposed and full credit card numbers, which are not stored by Twitch, have not been exposed.
Targeted data leak
The massive leak includes the Twitch source code with comment history going back years, details of an unreleased Steam gaming competitor called Vapor, mobile, desktop and video game console Twitch clients, various proprietary SDKs and internal AWS services used by Twitch, details about other Twitch-owned properties and internal Twitch security operations centre tools that may include threat models including phishing lures for employees.
Indicating the hack is an apparent direct attack on Twitch, the hacker wrote it was “an extremely poggers leak”when posting the massive data trove.
Adding, the site is a “disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them…”
The hacker also said “Jeff Bezos paid 970 million for this, we’re giving it away FOR FREE”, with the hashtag “DoBetterTwitch”.
The site has had its share of controversy recently, something that appears to have motivated the hacker.
The leak comes weeks after a number of channels went dark and some streamers stepped away from the platform branding it “#ADayOffTwitch” to draw attention to the ‘hate raids’ happening on the site.
This protest stemmed from a #TwitchDoBetter movement created by streamers who had been hit by waves of abuse reportedly deployed by bots that target chats with hundreds of automatically generated messages. Twitch has promised fixes for this but users have been left largely to fend off the hate attacks themselves.
Huge leak reveals huge gamer payments
At this stage, it doesn’t appear as though personal details of Twitch users have also been exposed in the massive data leak, although it’s not clear if encrypted passwords have been in the data dump, and users have been advised to change all related passwords.
Former Twitch security engineer, Thomas Shadwel, told Motherboard sensitive security code and information was not in the leaked source code.
Without doubt one of the many eye-opening elements of the leak is the list of Twitch creator payments that go back to 2019, revealing some of the big earning streamers on the site.
Soon after the leak was revealed, sites quickly appeared publishing leaderboards of top earners, although some days later not all these sites remain up.
A Top 50 Twitch streamers list appears to show that several top earners on the site earned close to $10 million (AU$13.6M), many made several million and everyone in this group collected more than $1 million (AU$1.3M) between August 2019 and October 2021.
Some gamers caught up in the leak have verified that the payouts are accurate, with several taking to Twitter to confirm the earnings figures.
When it comes to their earnings, these Twitch payouts don’t include merchandise, sponsorship and other off-platform earnings and don’t take into account tax and streamers own costs to run their activities.
More to come?
Since briefly confirming the data breach but providing little detail, Twitch has said that “out of an abundance of caution” it has now reset all stream keys. Users need to go to the dashboard to get a new stream key.
However, some users will have to manually update their software, depending on the version of software they use and OBS users who haven’t connected to their Twitch account will need to do the manual update. OBS users with connected accounts, along with Twitch Studio, Streamlabs, Xbox, PlayStation and Twitch Mobile App users, shouldn’t need to take any action for the new key to work, the company noted.
Amazon, which purchased the streaming site in 2014, has always maintained it would operate independently, although it’s not clear if it runs its own servers.
Some critics of Twitch’s approach to curbing hate raids have suggested its independence from Amazon makes it harder to police and enforce decency standards through technical, network-wide restrictions.
Amazon suffered a two-hour network disruption days after the leak, although the company said it was quickly resolved, and it’s not clear if this is a related incident,
In a worrying sign, this may not be the only breach Twitch has to deal with.
When posting the data leak online, the hacker said it was “part one” which suggests there may be more to come.
While Twitch scrambles to assess and investigate the leak, it the company hasn’t provided any further detail at this stage.
While this leak includes a vast archive of files, including many large ZIP files, more details may yet emerge about the internal workings of Twitch, even without another data dump.
As they say, stay tuned.