Earlier today, a report from VGC noted that an anonymous hacker had claimed to have, “Leaked the entirety of Twitch, including its source code and user payout information.” Shortly after this was shared, official Twitch social media channels confirmed that yes, a data breach has indeed taken place.
Details regarding the severity of the hack have yet to be shared by Twitch, though we do have information that suggests the hack is quite extensive.
While the situation is developing, it sounds like now’s a good time to change your account passwords, enable two-factor authentication if you haven’t already, remove any payment information attached to your account, and in general, make sure your personal information is secure.
Update 10/7/21: On the Twitch blog, Twitch notes it has reset all user stream keys, but say there’s no indication that login credentials have been exposed. Additionally, they say that full credit card numbers are not stored by Twitch, and therefore were not exposed.
Twitch Confirms a Data Breach Has Taken Place (Developing)
In a report from VGC, an anonymous hacker claims to have “leaked the entirety of Twitch” including source code and payout information. The hacker posted a 125GB torrent link full of data to 4chan, which VGC verified to be real.
In it, the potential extent of the hack is detailed, and according to those who’ve started digging their way through the file, seems to be pretty severe. According to VGC, the hacker’s stated reason for the hack was to “foster more disruption and competition in the online video streaming space”.
They also expressed feelings of disgust at the Twitch community, which they describe as a “toxic cesspool”. Prior to Twitch confirming the data breach on their social media channels, VGC noted that an anonymous source verified the data leak, confirming that it does include source code for Twitch among other things of concern, such as encrypted user passwords.
The anonymous source also told VGC that Twitch is aware of the hack, which has since proven true. On Twitter, the official Twitch account shared the following statement:
“We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.”
We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.
— Twitch (@Twitch) October 6, 2021
While Twitch works to understand the extent of the hack, the report from VGC lists things reportedly included in the leaked Twitch data. Along with the aforementioned source code, which includes comment history “going back to its early beginnings”, the leak also contains the following (info courtesy of VGC):
- Creator payout reports from 2019 (revealing that many of the top 100 creators earn seven-figure sums)
- Mobile, desktop, and console Twitch clients
- Proprietary SDKs and internal AWS services used by Twitch
- “Every other property that Twitch owns” including IGDB and CurseForge
- An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios
- Twitch internal ‘red teaming’ tools (designed to improve security by having staff pretend to be hackers)
Obviously, for Twitch users the main factor of concern is the report of leaked passwords. As such, it’s recommended that Twitch users go in and update passwords, along with enabling two-factor authentication if you don’t already have it set up on your account.
As the situation develops, we’ll be sure to share any new information from Twitch and other sources as soon as it’s shared.
Related: CD Projekt Red Hack Could Be Part of a Much Bigger Problem
