Twitch blames server misconfiguration for massive data breach, resets all stream keys
Steaming platform faces a difficult future as sensitive data posted online
Twitch said on Thursday that it has reset all stream keys "out of an abundance of caution" following a data breach that reportedly divulged confidential company data, including popular streamers' earnings, online.
In an instructional update on its website, the video streaming platform said that following key resetting, users may need to manually update their broadcast software with the new key (depending on the software used) to start their next stream.
A stream key is a unique code used by streaming software to broadcast to the right Twitch account.
The platform said that users of Twitch Studio, Streamlabs, Xbox, PlayStation, Twitch Mobile App and OBS should not need to take any action for their new key to work.
"OBS users that have not connected their Twitch account to OBS will need to manually copy their stream key from their Twitch Dashboard and paste it into OBS," it added.
Twitch blamed a server configuration error for the massive data breach: "We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party. Our teams are working with urgency to investigate the incident."
There is currently no evidence to suggest any login credentials or full credit card numbers were exposed in the breach, it said.
On Wednesday, a malicious hacker posted a 125GB torrent link on a 4chan messaging board, claiming that they had leaked the entirety of Twitch, including its source code, creator payouts going back to 2019, proprietary SDKs, and internal AWS services used.
Twitch's internal 'red teaming' (security) tools, as well as an in-development Steam competitor codenamed Vapor, from Amazon Game Studios, were also allegedly leaked. The documents show that popular streamers such as Nickmercs, DrLupo and Shroud have earned millions of dollars from working with Twitch.
The highest earners were popular Dungeons & Dragons steam Critical Role, followed by xQc and Summit1G; these accounts have respectively earned $9.6 million, $8.4 million and $5.8 million from streaming on Twitch from 2019 to 2021 (although most payouts were much, much lower - only 81 of the thousands of streamers on the platform have earned over $1 million).
The anonymous hacker said that the data posted is just "part one" - suggesting that they plan to release more data in coming days.
After the news of the data breach emerged Twitch confirmed the incident, stating that it was assessing the impact of the breach and would follow up with more details later.
The platform is yet to confirm if all the data leaked by the hacker is genuine.
"A lot more damage is now in store for Twitch," Candid Wuest from cyber security firm Acronis told the BBC.
"The breach is already harming Twitch on all the fronts that count."
Wuest added that the leaked data "could contain nearly the full digital footprint of Twitch, making it one of the most severe data breaches of late."
"Releasing payout reports for streaming clients will not make the influencers happy either," Wuest noted.
Pavel Kuznetsov, MD of PositiveTechnologies said: "With Twitch's source code, criminals could identify potential new vulnerabilities for use in the future as backdoors to the company's data.
"With information about the red teaming tools used by Twitch's SOC, criminals could reuse these tools in subsequent attacks on other objects."
In recent months, Twitch has been trying to deal with a number of issues on its platform, such as 'hate raids' - the organised harassment of streamers from minority backgrounds. After several weeks of hate raids, some Twitch steamers took 'a day off' in August to protest against the firm's lack of action on hate raids.
Twitch said it was taking steps to stop hate raids, but fixing this issue is not a simple task.