Twitch Pwned… Source Code, Financial Details & Other Details Published

It seems that game streaming site Twitch has been pwned by hackers. The entire Twitch source code, user comment history, and detailed financial records has reportedly been posted online by an anonymous hacker. According to VGC, the files were leaked to 4chan by an anonymous hacker:

The user posted a 125GB torrent link to 4chan on Wednesday, stating that the leak was intended to “foster more disruption and competition in the online video streaming space” because “their community is a disgusting toxic cesspool”.

VGC can verify that the files mentioned on 4chan are publicly available to download as described by the anonymous hacker.

Twitch has confirmed that the hack is real. As a result you should change your password and enable two factor authentication to protect yourself. But given that the following was leaked:

  • The entirety of Twitch’s source code with comment history “going back to its early beginnings”
  • Creator payout reports from 2019
  • Mobile, desktop and console Twitch clients
  • Proprietary SDKs and internal AWS services used by Twitch
  • “Every other property that Twitch owns” including IGDB and CurseForge
  • An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios
  • Twitch internal ‘red teaming’ tools (designed to improve security by having staff pretend to be hackers)

This can be consider a very devastating hack that Twitch and it’s owners Amazon are going to have great difficulty recovering from.

UPDATE: Marcus Fowler, Director of Strategic Threat, Darktrace had this to say about this hack: 

“Based on the information available, Twitch’s attacker appears to be a hacktivist working to damage the company for failing to take action against hate. This breach is on the heels of the mid-September hack against a web-hosting company, Epik, known for serving right-wing websites – continuing the emerging trend of malicious actors operating in line with their perceived ethical codes or social responsibilities. Current speculation points to this breach coming through a third-party provider to Twitch, which reminds companies that they are only ever as secure as their supply chain. In this case, as with so many cyber-attacks, the ramifications are likely to be vast for Twitch – from both a reputational and financial standpoint.The leak of the creator payloads would have been relatively straightforward (though time-consuming) to compute manually even before the leak – but collating these in one place has provided an extensive target list of individuals and organizations with high net worth for scammers to sift through. In today’s threat environment, no industry or organization is safe and the range of bad actors are not only those thinking about monetary gain or geopolitical advantage. Targets include traditional manufacturing companies through highly digitized live-streaming platforms like Twitch. All organizations should take measures – such as deploying advanced AI – to prepare for the worst-case scenario.”

UPDATE #2: June Werner, Cyber Range Engineer at Infosec Institute had this to say about this hack:

“This morning a 125 GB leak of Twitch’s data was made public. This leak includes the entirety of Twitch’s source code, the history of the source code, creator payout reports, proprietary development kits, an unreleased competitor to Steam, and internal security tools. This leak also describes itself as “part one”, meaning the leakers may have more data that they have not released and are planning to release at a future date. The release of Twitch’s source code may make it easier for malicious actors to find exploits on Twitch’s platform in the future. The details of what personal data the leakers may have had access to are not yet known, but in the meantime, the best action users of Twitch can take to protect themselves is to change their Twitch password, enable Two-Factor Authentication, and ensure that they are not using their old Twitch password for any other accounts.”

One Response to “Twitch Pwned… Source Code, Financial Details & Other Details Published”

  1. […] the second time this week, Twitch has been pwned. Hackers have managed to deface Twitch for a few hours this morning, […]

Leave a Reply

%d bloggers like this: