Popular video game streaming service Twitch appears to have been hacked “in its entirety”, according to an anonymous hacker on 4Chan. The hacker posted a torrent file of 125G that contains source code as well as information on creator payouts.
The anonymous hacker commented on 4Chan that the reason for the leak was to “foster more disruption and competition in the online video streaming space.”
Privacy Affairs downloaded the entire 125GB and we can confirm that the leak is authentic. It appears to contain data from as recent as last week and goes back as far as 2019.
Update: A former Twitch software engineer confirmed the authenticity of the leak
Update 2: Several Twitch streamers on Twitter have confirmed that the leaked creator payout details are accurate
The leak includes the following information:
- Creator payout details going back 3 years (incl. exact amounts paid out to individual creators)
- The entirety of twitch.tv, “with commit history going back to its early beginnings
- Source code for the mobile, desktop, and video game console Twitch clients
- Code related to proprietary SDKs and internal AWS services used by Twitch
- A Steam competitor currently unreleased
- Twitch properties data like IGDB and CurseForge
- Internal Twitch security tools
The poster is joking that Amazon’s Jeff Bezos paid $970 million to buy Twitch, while they are leaking the “entirety of twitch.tv” for free.
What is more concerning is that the leak was titled “part one” on the forum board, possibly indicating that there might be a part two with more information to come.
Based on our analysis no compromising user information such as passwords were included in this leak.
However it cannot be ruled out that the hackers haven’t obtained this data, but opted not to release it at this time. If more leaks are to come, they may include sensitive account data such as passwords.
While it is not certain, data such as user passwords may be released in the potential “part two” of this leak that is hinted at by the anonymous hacker.
Twitch users are highly advised to immediately change their passwords and enable two-factor authentication.
Furthermore, account holders using the same Twitch email and password combination on sites and apps, are advised to change their passwords on every other platform as well.
The leaked data also seems to include user identity and authentication mechanisms (without passwords) as well as admin management tools.
It’s believed that the source of the leak was an internat Git server used by Twitch. These servers are used by companies with large teams of developers to easily implement core updates and made rollbacks when necessary to source code repositories.
We will update this story as new information emerges.
We are still analyzing the large 125GB of leaked data.