By Staff Writer
A sophisticated cyberattack on popular live streaming platform Twitch has resulted in a massive leak of highly sensitive data. Among the trove of leaked data are recent creator payout reports and all of Twitch’s source code.
A verified 125GB torrent link was posted to 4chan on Wednesday. The person posting the link said they did so to “foster more disruption and competition in the online video streaming space.”
Cybersecurity industry insiders call the leak one of the biggest, if not the biggest, ever.
“We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this,” Twitch posted on Twitter.
Fifty-one million people use Amazon-owned Twitch. The platform is best known for video games and esports live streaming. Twitch also carries live music broadcasts and other creative content.
The leaked information includes payment information made to Twitch’s top streamers, detailing a user-by-user breakdown of every one million dollar plus streamer since 2019.
“The earnings list got my figure 100% correct,” one streamer told the BBC.
While IT experts are still working through the large volume of leaked data, information including Twitch’s source code with an extensive commit history, payment reports since 2019, and proprietary SDKs and internal AWS services used by Twitch appear to now be publicly available.
Also leaked is a list of Twitch’s desktop, mobile, and console clients, information on an unreleased Steam competitor codenamed Vapor (Steam is a popular online colour matching game), details of Twitch’s cyber threat counter teams and procedures, and other Twitch-owned properties, including IGDB and CurseForge.
Labelling the leaked data “Part One,” the 4chan poster says further releases of Twitch data will occur.
“Your personal information is constantly being shared with multiple people and organisations as we sign-up to websites and platforms such as Twitch,” said Bogdan Botezatu, director of threat research and reporting at Bitdefender Labs.
“Every bit of relevant information about you can, and most likely is, added to a file with your name on it. The situation with Twitch is a key example of this and is a danger for not only content creators on the platform but viewers as well.”
There are unconfirmed reports the leak also includes encrypted passwords. However, the cyberattack at this stage appears to target Twitch rather than its users. Nonetheless, users are being advised to change passwords and switch on two-factor authentication.
“As a platform with access to credit card information and other payment details, this is especially scary,” adds Botezatu.
Recently Twitch has found itself under fire from some users and creators over the platform’s failure to stop what are termed hate raids.
Hate raids refer to torrents of abuse directed at a streamer or user from dummy accounts, and they are becoming a problem on the Twitch platform.
Amid recent calls to boycott the platform, Twitch said it was aware of the problem, but there was no easy fix.
Wednesday’s leak is the latest in a series of serious PR issues for Twitch. The streaming platform says it will offer further updates on the cyberattack as information becomes available.