An unknown hacker has leaked the entirety of Twitch’s source code among a 128 GB trove of data released this week.
The hack, first reported by Video Games Chronicle and confirmed by multiple sources, includes:
The entirety of twitch.tv, with commit history going back to its early beginnings
Mobile, desktop and console Twitch clients
Creator payout reports from 2019
Proprietary SDKs and internal AWS services used by Twitch
Every other property that Twitch owns including IGDB and CurseForge
An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios
Twitch SOC internal red teaming tools
The hacker, who called themselves “Anonymous” on a 4chan discussion board, said Twitch’s community is “a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them, and in part one, are releasing the source code from almost 6,000 internal Git repositories.”
“Jeff Besos paid $970 million for this, we’re giving it away FOR FREE. #DoBetterTwitch,” the hacker added.
Twitch and Amazon, which owns the company, did not respond to requests for comment.
They released a brief statement on Twitter confirming that a breach occurred and pledging to release updates at some point.
Twitch is one of the biggest gaming platforms in the world, with an average of 15 million daily users and more than 2 million Twitch creators broadcasting monthly.
More than 18 billion hours of Twitch videos were streamed in 2020.
#DoBetterTwitch has trended for weeks as the platform has faced backlash for allowing “hate raids” — where the comment sections of minority gamers are overwhelmed by slurs and abuse. Twitch was forced to address the issue in a Twitter thread in August and pledged to do more about racial abuse.
“This is not the community we want on Twitch, and we want you to know we are working hard to make Twitch a safer place for creators. Hate spam attacks are the result of highly motivated bad actors, and do not have a simple fix,” Twitch said. “Your reports have helped us take action-we’ve been continually updating our sitewide banned word filters to help prevent variations on hateful slurs, and removing bots when identified.”
The words did little to quell outrage and gamers held a protest last month, boycotting the site for 24 hours due to the company’s inaction on “hate raids.”
Public reaction to the leak has focused on the massive earnings of popular gamers — which reached the millions for some. In an interview with BBC News, Fortnite streamer BBG Calc confirmed that his earnings in the leak were correct and other high earners backed it up.
There was also a significant amount of business information from Amazon released in the hack, including the company’s plans for a rival to gaming platform Steam called Vapor.
Others raised severe concerns about the security of the platform and the many bank accounts connected to it.
SocialProof Security CEO Rachel Tobac warned streamers to ensure their financial services have the strongest MFA available because they will now be targets for other hackers and scammers.
“For streamers with payout data leaked, this includes Venmo, CashApp, Bank, etc. If hardware based MFA is an option, move to that by end of day (though many banks still don’t offer security key options). If security key not an option, move to app-based MFA rather than SMS-based,” Tobac wrote.
“Intruders supposedly leaked Twitch internal red team tools & threat models — brutal. If true, this would likely include phishing lures known to be successful against Twitch employees, the hacking playbook. If you work at Twitch, be politely paranoid about messages, requests, etc.”
F-Secure researcher Jarno Niemela said password hashes have leaked, so all users should change their passwords and use 2FA if they are not doing so already.
“But as the attacker indicated that they have not yet released all the information they have, anyone who has been a Twitch user should review all information they have given to Twitch, and see if there are any precautions they need to make so that further private information isn’t leaked,” Niemela added.
All of Twitch’s red team security measures are now widely available, providing hackers with untold information about how to invade the company and those connected to it, she added.
Among the files leaked, experts were focused on the folders “core config packages,”http://www.zdnet.com/”devtools,” (developer tools) “infosec,” (information security).
James Chappell, co-founder of Digital Shadows, said one of Twitch’s internal GitHub repositories was stolen in the attack.
The leaked data was made available through torrents shared as magnet links. The data set appears to be comprehensive. It has also been labeled as a ‘part 1,’ which suggests that there is more to come. Whilst user data does not currently appear to be in the archive, users on the forum are speculating as to what may follow,” Chappell said.
“There appears to be evidence that the original files came from an internal GitHub server, git-aws.internal.justin.tv, was at least part of the breach. Justin.tv was the name of a company that eventually transformed into Twitch. It rebranded as twitch in 2011 – so this looks like a long-standing piece of infrastructure.”
Security experts like ThreatModeler CEO Archie Agarwal described the hack as “as bad as it could possibly be” and questioned how someone managed to exfiltrate 128 GB “of the most sensitive data imaginable without tripping a single alarm.”