Well, this is bad. Twitch, the ultra-popular streaming site, appears to have been hacked. An anonymous leaker on the 4chan message boards released a 125GB torrent that allegedly contains source code for the streaming service, along with payout information for creators and details about an unreleased Amazon Steam rival dubbed “Vapor.”
You can’t trust anonymous hackers at their word, but noted security journalist Catalin Cimpanu of The Record downloaded some of the files and confirmed “the content of the leak is in tune with what the hacktivists claimed to have shared.” Meanwhile, security researcher Troy Hunt has compiled a Twitter thread of various Twitch streamers confirming that the payout data is legitimate, and Video Game Chronicles says “an anonymous company source” told them that “the leaked data is legitimate, including the source code for the Amazon-owned streaming platform.”
We’ve reached out to Twitch for confirmation, but this hack certainly appears legit. We will not be linking to the torrent. The files allegedly contain a treasure trove of deeply held secrets, including:
- Three years worth of payout information to creators
- Twitch source code “with commit history going back to its early beginnings”
- Source code for Twitch’s desktop, console, and mobile game clients
- An unreleased Steam competitor codenamed “Vapor” by Amazon Game Studios
- Information about other properties Twitch owns, such as CurseForge, along with SDK and internal Amazon Web Services tools used by Twitch
The poster said the leak was intended “to foster more disruption and competition in the online video streaming space,” because Twitch’s community is “a disgusting toxic cesspool.”
Fortunately, user passwords don’t appear to be part of the files, but the leak was labeled “part one” and Cimpanu notes that the torrents include folders “holding information about Twitch’s user identity and authentication mechanisms, admin management tools, and data from Twitch’s internal security team, including white-boarded threat models describing various parts of Twitch’s backend infrastructure.”
Between that information, and the fact that the source code for the site and its various clients were released, we highly recommend changing your Twitch password and enabling two-factor authentication for the site, just in case user data was—or will be—compromised in some way. Head to Twitch’s security settings page to adjust both. Our guides to the best password managers and 2FA solutions can help you set up strong protections if you’re unfamiliar with either technology. They’re both vital in the breach-rife modern world.
And if you’re a content creator who streams to Twitch, ensure your banking credentials also use a strong, unique password and are protected by two-factor authentication if possible. This leak shouldn’t jeopardize those in any way, but better safe than sorry.