Twitch has undergone a massive hack resulting in leaking the source code for its unreleased streaming service, creator payout details, and other sensitive information.
The attack was carried out by a group that has labeled the leaked data as “Part One,” which indicates more installments will be coming up soon. According to sources, Twitch is aware of the breach, but it hasn’t yet informed its users about it.
For your information, Twitch is an Amazon-owned live video streaming service that centers around live video game streaming and broadcasting of esports competitions. In September 2021, Twitch had over 8.07 million active streamers.
The ‘entirety of Twitch.tv.’ Hacked!
As seen by Hackread.com, a post was uploaded on the 4chan messaging forum where the hacker claims to release 125GB torrent, including the entirety of Twitch as well as its commit history.
The leak is designed to create “disruption and competition” in the online video streaming industry, as per the poster. According to the hacker, the content of the data leak includes:
- The entirety of twitch.tv, with comment history going back to its early beginning
- Mobile, desktop, and video game console Twitch clients
- Various proprietary SDKs and internal AWS services used by Twitch
- Every other property that Twitch owns including IGDB and CurseForge
- An unreleased Steam competitor from Amazon Game Studios
- Twitch SOC internal red teaming tools.
According to British cyber security researcher Kevin Beaumont, this leak is authentic, and the most recent code is for this week.
In a tweet, Beaumont said that:
The Twitch leak is real. Includes a significant amount of personal data. Feel bad for the InfoSec team, the attacker leaked lots of their data too including their threat models (which they probably want to update to include 4chan).
Apart from leaking Twitch.tv’s code, the attackers claim to have stolen all Twitch’s desktop, mobile, and console clients and accessed internal AWS, proprietary SDKs services Twitch uses.
Furthermore, the unreleased Steam competitor from Amazon Game Studios (bearing codename Vapour), properties such as CurseGorge and IGDB, and Twitch SOC internal red-teaming tools have also been hacked.
Moreover, creator payouts from 2019 to 2021 are also leaked, including top streamers like TimTheTatMan, Nickmercs, and xQc. As seen by Hackread.com, the leak includes three years’ worth of creator payout details on Twitch and the site’s commit history from as far back as when it was launched.
The hacker stated that the leak includes source code from around 6,000 internal GitHub repositories.
What’s Not Leaked?
It seems that this particular leak doesn’t include Twitch users’ passwords or address-related data. However, this doesn’t mean that the hackers hadn’t obtained or accessed this information.
As mentioned above, this could only be a portion of the hacked data, and they may leak more later. At the moment, the hacker/leaker may be focusing on sharing the company tools only.
What Should You Do?
Twitch is yet to respond to the issue. Until then, you should change your Twitch password and enable 2FA authentication if you haven’t already to stay protected.
Our analysis suggests that this hacking could result from the ongoing hate raids against Twitch as the hackers referred to Twitch’s users as a “disgusting toxic cesspool.”
In a conversation with Hackread.com, Danny Lopez, CEO at London, England-based cyber security company Glasswall Solutions, discussed the Twitch hack in detail. According to Lopez, “The volume of data which the hackers of Twitch have gained access to is concerning. Such sensitive information such as source codes and financial information should be protected by the highest levels of security.”
“With 15 million daily users, Twitch holds significant amounts of data, much of which contains personal information about its customers. It is essential that a proactive approach is taken to cybersecurity in order to protect such information – once hackers have access to systems, there is little else that can be done,” Lopez warned.
“At a time like this when details are unclear, Twitch users should also take immediate steps, which include changing their passwords and enabling two-factor authentication,” Lopez advised Twitch users.
Lopez further warned that “Even when all procedures and policies are well-executed, there’s no escaping the fact that adversaries are constantly looking to probe vulnerabilities. Often this is as simple as inserting malware using documents and files shared in their hundreds every day in a business environment. It’s vital organizations invest in cyber protection services that stay ahead of attackers by eliminating the threats while still allowing both internal users and external customers to use the systems as expected.”
“Attacks like these demonstrate that a traditional castle-and-moat approach to network security leaves organizations exposed. Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. In a world where data can be held amongst multiple cloud providers, it is crucial to strengthen all processes relating to access verification. Without a zero-trust approach, organizations run the risk of attackers having a free reign across a network once they are inside,” he concluded.