A huge hack has just been revealed targeting Amazon and Twitch. This breach is huge and will have massive implications for Twitch going forward. The company has been fully breached to level that has certainly not been seen at a streaming service before. The leak comprises more than 120 GB of data, and is indicative that Twitch has been fully compromised.
The company has basically had many of its internal tools leaked, but that’s not all. So here’s what the breach and subsequent leak includes:
- The entirety of Twitch’s source code with details “going back to its early beginnings”
- Creator payout reports from 2019 and onward
- Mobile, desktop and console Twitch clients source code
- Source code and details of internal development tools
- Data from “every other property that Twitch owns” including IGDB and CurseForge
- An unreleased Steam competitor, codenamed Vapor
- Twitch internal security and pentesting tools
One of the major items included in the leak is the creator payout reports from 2019 up to now. The leaker seemed to brag about this, saying “find out how much your favorite streamers is really making!”
Having twitch creator payouts leaked is bad enough, and likely to anger many users who feel their privacy has been compromised. But far worse is the source code leak. The entire site is now vulnerable to who knows how many exploits that have now been made much easier to uncover. The loss of internal testing and SDK tools is also a big problem, as it will make it easier for unscrupulous actors to clone Twitch for nefarious means.
It’s highly advisable to change your password on any of the accounts affected, and to turn on 2FA on all of your accounts. You will also want to unlink and reset any linked accounts. If you have a Steam account linked, it’s possible that API data showing login info could be compromised. You can check your connections by clicking the Connections tab under your account settings, or go here.
To turn on two-factor identification:
- log on to Twitch, click your avatar and choose Settings
- go to Security and Privacy, then scroll down to the Security setting
- choose Edit Two-Factor Authentication to see if it’s already activated. If not, follow the instructions to turn it on (you’ll need your phone)
If you get an e-mail claiming to be from Twitch, make sure it’s not a phishing e-mail leading to a fake site. You can do this by looking at header data on the e-mail, as well as checking the source address. You should see obvious signs it came from Twitch in the case of a genuine e-mail.
As for the reasons behind the attack and leak, it can best be described as spite. The poster made it clear that this was out of retribution. The company has been under fire recently over a surge in “hate raids”. This tactic is a popular attempt to marginalize certain creators, particularly BIPOC and LGBTQIA+ individuals, by targeting them with bots and chat spam. Said spam is often outright racist and homophobic, including hundreds of bot accounts spewing slurs. The attacks have been going on for months, and many feel Twitch isn’t doing enough to deal with the problem.
Because of this, the leaker called Twitch out, and states that “their community is also a disgusting toxic cesspool” and that they wanted to “foster more disruption and competition in the online streaming space.” Although considering the damage their actions are likely to cause to innocent users, that altruistic message feels very hollow.