Live video broadcasting service Twitch has been hit by a massive hack that exposed 125GB of the company’s data. In a 4chan thread posted (and removed) Wednesday, an anonymous user shared a torrent file of the data dump. The dump contains the company’s source code and details of money earned by Twitch creators.
Twitch admits to breach but is unsure of the “extent”
In a 4chan post seen by Ars today, an anonymous user claimed to leak 125GB of data lifted from 6,000 internal Twitch Git repositories. The forum poster mocked Amazon’s acquisition of Twitch, writing, “Jeff Bezos paid $970 million for this, we’re giving it away FOR FREE.”
The hacker wrote that the purpose of the leak was to cause disruption and promote competition among video streaming platforms. The hacker further said that Twitch’s “community is a disgusting, toxic cesspool.”
Twitch has admitted to the breach but has not responded to Ars’ questions. It appears that even Twitch isn’t aware of the full extent of the breach, as the company is still working out the details:
Update: In an advisory posted yesterday at 10:30 pm PT, Twitch has blamed the data exposure on a “server configuration change that was subsequently accessed by a malicious third party.” As the investigation continues into assessing the full impact, Twitch states at this time there is no evidence to indicate that login credentials were leaked. Additionally, Twitch does not store full credit card numbers and as such confirms these were not, and could not have been exposed.
Earnings of top Twitch creators revealed
The same thread on 4chan also claimed to expose “creator payout reports from 2019 until now. Find out how much your favorite streamer is really making!”
Notably, the 125GB archive is titled “Part One,” alluding to the possibility of future leaks.
A small subset of data seen by Ars shows the earnings of the top 10,000 Twitch users next to their usernames. An updated list was posted by game creator Sinoc, and a Twitter user who analyzed the dump posted a detailed breakdown of the payouts:
An anonymous Twitch source confirmed to Video Games Chronicle that the leaked data, including Twitch’s source code, is legitimate. According to the company source, the data was obtained as recently as Monday.
The 4chan poster claims the leaked data dump contains:
- The entirety of twitch.tv’s source code, with commit history from the beginning
- Creator payout reports starting from 2019
- Mobile, desktop, and video game console Twitch clients
- Proprietary SDKs and internal AWS services used by Twitch
- Data from “every other property that Twitch owns,” including IGDB and CurseForge
- Information about an unreleased Steam competitor (“Vapor”) from Amazon Game Studios
- Twitch’s internal “red teaming” tools used by SOC (security) teams
The dump also reportedly contains Unity source code for a game called “Vapeworld.”
Portions of the leaked archive are vast and contain large ZIPs, and it may be days before the complete extent of the breach is understood:
Some Twitter users also claimed to see encrypted passwords present in the dump and are urging Twitch users to enable two-factor authentication and change passwords as a safeguard.
The hack puts more bad news on Twitch’s plate and follows a recent and long-awaited public response to hate raid issues. During such raids, vulgar and hateful speech is dumped into the site’s prominent chat feeds by users and bots.
Interestingly, NBC’s tech investigations reporter Olivia Solon says that all of Amazon’s warehouse systems were hit by a network disruption last night, although the company won’t confirm if this event was connected to the Twitch hack.