Popular video game streaming service Twitch appears to have been hacked “in its entirety,” according to an anonymous hacker on 4Chan. The hacker posted a torrent file of 125G that contains source code as well as information on creator payouts.
The anonymous hacker commented on 4Chan that the reason for the leak was to “foster more disruption and competition in the online video streaming space.”
Privacy Affairs downloaded the entire 125GB, confirming that the leak is authentic. It appears to contain data from as recent as last week and goes back as far as 2019.
Update: A former Twitch software engineer confirmed the authenticity of the leak
Update 2: Several Twitch streamers on Twitter have confirmed that the leaked creator payout details are accurate
The leak includes the following information:
- Creator payout details going back three years (incl. exact amounts paid out to individual creators)
- The entirety of twitch.tv, “with commit history going back to its early beginnings
- Source code for the mobile, desktop, and video game console Twitch clients
- Code related to proprietary SDKs and internal AWS services used by Twitch
- A Steam competitor currently unreleased
- Twitch properties data like IGDB and CurseForge
- Internal Twitch security tools
The poster is joking that Amazon’s Jeff Bezos paid $970 million to buy Twitch while they are leaking the “entirety of twitch.tv” for free.
We believe security online security matters and its our mission to make it a safer place.
What is more concerning is that the leak was titled “part one” on the dark web forum board, possibly indicating that there might be a part two with more information.
Based on our analysis, no compromising user information such as passwords were included in this leak.
However, it cannot be ruled out that the hackers haven’t obtained this data but opted not to release it. If more leaks are to come, they may include sensitive account data such as passwords.
While it is not certain, data such as user passwords may be released in the potential “part two” of this leak that is hinted at by the anonymous hacker.
Twitch users are highly advised to change their passwords and enable two-factor authentication immediately.
Furthermore, account holders using the same Twitch email and password combination on sites and apps are advised to change their passwords on every other platform as well.
The leaked data also seems to include user identity and authentication mechanisms (without passwords) and admin management tools.
It’s believed that the source of the leak was an internal Git server used by Twitch. Companies with large teams of developers use these servers to implement core updates easily and make rollbacks to source code repositories when necessary.
We will update this story as new information emerges.
We are still analyzing the large 125GB of leaked data.