Twitch Allegedly Faces Massive Data Breach

Smartphone with Twitch Logo on a purple background on screen

Update 7 October 2021: Twitch put out a blog post to address and clarify details about the reported data leak. The streaming service said the data was “exposed to the internet due to an error in a Twitch server configuration change.” Twitch added that since investigations are ongoing, it is yet to assess the complete impact of the incident. The platform said, at this time, it had no indication of login credentials being exposed. It added that since it does not store full credit card details, the same were not exposed in the leak. 

As a cautionary measure, the platform has reset all stream keys. Users can get their new stream keys here. Users may need to manually update their software with the new key to start their next stream.

Popular streaming service Twitch appears to be the victim of a massive data breach. A hacker claims to have leaked a 125 GB torrent file worth of Twitch data to 4chan.

The file includes information like the Twitch source code and creator payout reports from 2019. Some Twitter users who are going through the torrent claim that it also includes encrypted passwords.

Furthermore, the hacker has gained access to, and released, Twitch’s internal “red teaming” tools. A red team is a group that acts as a hacker to detect vulnerabilities and to improve the company’s cybersecurity. Organizations that manage large amounts of sensitive information usually have their own red teams.

The hacker claims that this is the first part of the planned leak. However, they have not disclosed any details of the rest of the leak.

Hacker Posts 125 GB Torrent File on 4Chan

On Wednesday, the hacker posted a 125 GB torrent link to 4chan. The stated intent behind the leak was to “foster more disruption and competition in the online video streaming space” because “their community is a disgusting toxic cesspool”.

The files mentioned on 4chan are publicly available to download. They reportedly include the following Twitch data:

  • Twitch’s entire source code, with comment history dating back to the company’s “early beginnings”
  • Reports detailing creator payouts from 2019
  • Twitch clients on mobile, desktop, and console
  • Information about Twitch’s internal AWS service usage and proprietary SDKs
  • “Every other property that Twitch owns,” which also includes CurseForge and IGDB
  • A Steam competitor, internally titled “Vapor,” still unreleased, and developed by Amazon Game Studios
  • The company’s internal “red teaming” tools (designed to improve the company’s security image by having internal staff act as hackers)

An anonymous company source stated that the breach is legitimate, and it is believed that the data was obtained as recently as Monday. The hacker stated that the released information is only part of the planned leaks. They did not elaborate on what they plan to release next.

The files also contain the Unity code for a game called Vapeworld, which appears to be chat software based on Amazon’s unreleased Steam competitor Vapor.

Twitch Users Advised to Take Protective Measures

Twitch users are advised to turn on two-factor authentication to protect their accounts. The additional layer would require users to prove their identity using SMS or an authenticator app. By doing so, they can secure their accounts even if their password is compromised.

Users can follow these steps to turn on two-factor authentication:

  • Sign into Twitch, and navigate to Settings from their user avatar
  • Click on “Security and Privacy,” then browse to Security settings
  • Select “Edit Two-Factor Authentication,” and enable it if you haven’t already. Keep your phone close by to complete the process.

Passwords are the first line of defense against data theft. It is very important to create a strong and unique password for all your internet accounts, such as social media, streaming sites, banking, etc.

However, it can be difficult to manage or remember all your passwords. Password managers make it easy for users to remember their passwords. They also remember unique passwords for all the sites you visit. If you want to learn more about password managers, including information on some of the best password managers out there, check out our resource here.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.