The bigger something is on the internet, the more alluring it becomes in the eyes of hackers.
Twitch is an American video live streaming service that focuses on video game live streaming, that also include broadcasts of e-sports competitions. In addition, it also offers music broadcasts, creative content, and more.
As an Amazon subsidiary, a spin-off of the general-interest platform Justin.tv, Twitch has gained traction among users, especially when its streamers are allowed to monetize through commissions.
The result of this, Twitch is considered the leading live-streaming video service for games in the U.S., with huge advantages over YouTube gaming and others on the same niche.
As of February 2020, the platform had 3 million monthly broadcasters and 15 million daily active users, with 1.4 million average concurrent users.
And this time, the platform fell for an attack by a hacker, which then resulted in a leak considered to be one of the largest in the history of the internet.
This happened as an anonymous hacker claimed to have leaked the entirety of Twitch, including its source code and user payout information.
The alleged hacker posted a 125GB torrent link to 4chan, stating that the leak was intended to “foster more disruption and competition in the online video streaming space” because “their community is a disgusting toxic cesspool”.
Inside the file, includes:
- The entirety of Twitch’s source code, as well as commit history from almost 6,000 internal GitHub repositories “going back to its early beginnings.”
- Creator payout reports for Twitch's almost 2.4 million streamers since 2019.
- Source code for the mobile, desktop, and video game console Twitch clients.
- Proprietary software development kits (SDKs), as well as internal AWS services used by Twitch.
- Data about “every other property that Twitch owns,” including IGDB and CurseForge.
- Information about an unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios.
- Twitch internal ‘red teaming’ tools that are designed to improve security by having its own employees pretend to be hackers.
The anonymous leaker stated that the leak that contains the above data, is just the first part of the content, saying that it's only “part one” of “an extremely poggers leak.”
The hacker added that “we have completely pwnd them.”
The hacker also include the #DoBetterTwitch and /#TwitchDoBetter hashtags.
Twitch is no stranger in cases that sparked from its creators and users who feel that the platform doesn't take enough action to curb problematic members. Twitch argues that attempting to make the platform a safer place is not easy.
“No one should have to experience malicious and hateful attacks based on who they are or what they stand for,” Twitch once stated. “This is not the community we want on Twitch, and we want you to know we are working hard to make Twitch a safer place for creators."
“Hate spam attacks are the result of highly motivated bad actors, and do not have a simple fix. Your reports have helped us take action – we’ve been continually updating our sitewide banned word filters to help prevent variations on hateful slurs, and removing bots when identified."
“We’ve been building channel-level ban evasion detection and account improvements to combat this malicious behaviour for months. However, as we work on solutions, bad actors work in parallel to find ways around them – which is why we can’t always share details.”
But regardless, this hack and leak, which have been confirmed by Twitch itself, is Twitch's largest problem to date.
"Jeff Bezos paid $970 million for this [Twitch], we’re giving it away FOR FREE,” the hacker said.
We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.
— Twitch (@Twitch) October 6, 2021
The consequences for a leak like this can be catastrophic.
First and foremost, Twitch's business can be affected. Making things worse, this is because the leak also contains unreleased product.
And second, the leak also include the financial information for popular streamers out there. And this kind of data can pose serious privacy and security issues.
While Twitch streamers can earn revenue from a variety of methods, the leak exposes many streamers with big paycheck. With the most popular accounts having more than 10 million followers and earning millions of dollars, this leak can make those streamers particularly attractive targets for attackers.
For example, Twitch’s highest-paid streamer, a creator called CriticalRole, raked in $9.6 million from August 2019 through October 2021. CriticalRole was followed by streamers xGcOW and summit1g, who earned from Twitch $8.5 million and $5.8 million, respectively.
It's worth noting that the goals of this anonymous hacker is to share Twitch's own information rather than the personal information of its users. But this leak apparently comes with personal information as well.
While passwords and such are encrypted, users can be exposed to future cyberthreats if the data falls to some malicious actors who wish to disrupt.
Making things worse, Twitch is popular among gamers who are mostly youngsters. What this means, the data included may be hackers' path towards lots of information about minors, making the impact amplified.
Following the news, security experts began to wonder about Twitch's security setup. How could someone exfiltrate that much information of the most sensitive data without tripping a single alarm? And responding to the news, people started making fun of Twitch, especially its content creators, by making jokes and criticisms, as well as memes.
It is later said that the cause of this hack was "a Twitch server configuration change."