Twitch hacked: Streaming site suffers massive data breach

Hacker said they were protesting Twitch lack of action on toxic behaviour

Game-streaming platform Twitch has fallen victim to a major data breach that divulged confidential company data, including popular streamers' earnings, online.

'We can confirm a breach has taken place,' Twitch said in a message posted on Twitter.

The platform added that its team were 'working with urgency to understand the extent of this' and that they would 'update the community as soon as additional information is available'.

The company said the breach was the result of 'an error in a Twitch server configuration change that was subsequently accessed by a malicious third party'.

That 'malicious third party' posted a 125GB torrent link on a 4chan messaging board, on Wednesday.

The hacker claimed they had leaked the entirety of Twitch, including its source code, commit history, user payout reports from 2019, Proprietary SDKs, Twitch clients, and internal AWS services used.

The platform's internal 'red teaming' (security) tools, as well as an in-development Steam competitor codenamed Vapor, from Amazon Game Studios, were also leaked.

The documents show that popular streamers such as Nickmercs, DrLupo and Shroud have earned millions of dollars from working with Twitch. The highest earners were popular Dunegeons & Dragons steam Critical Role, followed by xQc and Summit1G; these accounts have respectively earned $9.6 million, $8.4 million and $5.8 million from streaming on Twitch from 2019 to 2021 (although most payouts were much, much lower - only 81 of the thousands of streamers on the platform have earned over $1 million).

The hacker said that the primary purpose of the leak is to promote competition in the online video streaming space by punishing Twitch for its lack of action on toxicity. They said the community had become 'a disgusting toxic cesspool'.

For example, one of the issues Twitch has recently been trying to deal with is 'hate raids' - the organised harassment of streamers from minority backgrounds. After several weeks of hate raids, some Twitch steamers took a 'a day off' in August to protest the firm's lack of action.

Twitch has said it is taking steps to stop hate raids, but that it is not a simple task.

The company says passwords were not leaked, but people logging in today have been met with a prompt to change their password; so best to be on the safe side. If you're a Twitch member we highly recommend that you change your password and enable two-factor authentication, if you haven't done so already. To do this, log into Twitch and click your avatar in the top-right, then go to Settings > Security and Privacy.

Commenting on the recent data breach, Stuart Green, Cloud Security Architect at Check Point Software said: "Anytime source code gets leaked it's not good and potentially disastrous. It opens a gigantic door for evil doers to find cracks in the system, lace malware, and potentially steal sensitive information."

James Smith, Head of Offensive Security at Bridewell Consulting, noted: "It's still too early to know exactly how breach occurred, however, the company needs to balance the need to communicate with customers quickly against the need to ensure information communicated is accurate.

"The problem is working out what has been taken, and when, can be very challenging for many organisations which is why businesses need to shift from a security monitoring and notification approach to one focused threat detection and response, known as MDR."