Massive Twitch Data Breach Reveals Source Code - What You Need to Know [Updated]

Massive Twitch Data Breach Reveals Source Code - What You Need to Know [Updated]

Updated with additional information from Twitch.

Twitch, a streaming and chat platform used by millions of online gamers and owned by Amazon, appears to have been seriously hacked.

Earlier today (October 6), an anonymous post on 4chan linked to a stash of 125 GB of data believed to contain Twitch's source code and financial information, including amounts paid to streamers, the Video Games Chronicle reported.

It also appears to have included source code for Vapor, a Steam competitor that Twitch is rumored to be developing. This is discussed in another article.

In response to an inquiry from Tom's Guide, Twitch issued this statement:

"We can confirm that an information breach has occurred. Our team is working urgently to understand the extent of this. We will report back to the community as soon as we have additional information. Thank you for your cooperation.

Earlier today, a similar statement was tweeted from the official Twitch account.

It is unclear if passwords, usernames, or credit card numbers were leaked, but the posted data is labeled as "part 1," suggesting that more data may have been leaked. One Twitter user stated that the data contained "encrypted passwords," but no one else who has seen the data has said so.

If you have a Twitch account, you may want to change your password immediately, just in case. Make it unique and strong. And if you haven't already enabled Twitch's two-factor authentication, turn it on.

If you are getting paid by Twitch, check the activity on the account from which the Twitch rewards are being transferred. Select the strongest security settings available for that account as well.

A 4chan poster who linked to the data torrent said that the Twitch community is "a disgusting toxic cesspool, so to promote more chaos and competition in the online video streaming space, we completely punked them and in part 1 has released source code from nearly 6,000 internal Git repositories."

Twitch has been criticized for allowing "hate raids" by herds of users against certain other users. Fed up, Twitch users organized a "Twitch strike" this past September 1 to protest Twitch's inaction.

The leaked data includes all Twitch source code dating back to the launch of the service, streamer payments dating back to 2019, Twitch client software code for desktop, mobile and console gaming, SourceForge code for other Twitch-owned properties, and Vapor software, which Video Games Chronicle said was created by Amazon Game Studios, are said to be included.

Troy Hunt, who runs the password-checking site HaveIBeenPwned, posted a list of files included in Twitch's data stash on GitHub.

Perhaps of most concern was the leak of Twitch's proprietary "Red Team" tool, which was used by in-house hackers to test Twitch's security.

"If true, it likely contains a phishing lure known to have been successful against Twitch employees and a playbook for hacking," tweeted Rachel Toback, CEO of Social Proof Security.

"If you work at Twitch, be politely paranoid about messages, requests, etc.

According to various reports on Twitter, the data appears to be legitimate. Several creators have stated that the payout data matches what Twitch has actually paid over time; The Record reporter Catalin Cimpanu tweeted that a former Switch engineer said the data was real.

Late Wednesday (October 6), Twitch posted on its blog that "Due to an error in a configuration change on the Twitch server, some data was exposed to the Internet and subsequently accessed by a malicious third party."

"At this time, there is no indication that login information has been compromised," the post continued.

"Additionally, credit card numbers are not stored by Twitch, so no complete credit card numbers were compromised.

Twitch updated its blog post on Thursday (October 7), stating that it had reset all stream keys. Some Twitch streamers may need to manually update their client software.

Good to hear about the login credentials (username and password), but in any case we believe all Twitch users will need to reset their passwords and enable 2FA on their accounts. We do not know if this will be the last Twitch data to be leaked online.

We would also like to know more about how these credentials are stored and protected.

On the other hand, "full credit card number" means that the credit card number was partially disclosed. This could mean that Twitch stores the last four digits of the number in plain text.

We contacted a Twitch representative who said the company could not comment further but would continue to update its blog.

.

Categories