Updated with additional information from Twitch.
Twitch, the streaming and chat platform used by millions of online gamers and owned by Amazon, seems to have been seriously hacked.
An anonymous post to 4chan early today (Oct. 6) linked to a 125GB stash of data that seems to contain Twitch source code and financial information, including the amount paid out to streamers, reports Video Games Chronicle (opens in new tab).
- Windows 11 could be bad news for gaming PCs — here’s why
- The best Windows 10 antivirus software
- Plus: PSA: Do not buy an Xbox Series S
In response to a query from Tom's Guide, Twitch gave us this statement:
"We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us."
An identical statement was tweeted earlier today (opens in new tab) by the official Twitch account.
It's not clear if passwords, usernames or credit-card numbers were leaked, but the posted data is labeled "Part I," implying more may be on the way. One Twitter user (opens in new tab) said the data included "encrypted passwords," but no one else who's seen the data has said so.
If you have a Twitch account, you should probably change your password immediately just as a precaution. Make it unique and strong. Then turn on Twitch's two-factor authentication if you haven't already enabled it.
If you get paid by Twitch, check activity on whichever account you have that Twitch pays into. Choose the strongest available security settings on that account too.
The 4chan poster who linked to the data torrent said that the Twitch community "is a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them, and in part one, are releasing the source code from almost 6,000 internal Git repositories."
The post containing the torrent claims that Twitch is a "disgusting toxic cesspool". Whether that's motive or a convenient excuse is yet to be seen. pic.twitter.com/8G9d6fTi5mOctober 6, 2021
Twitch has been criticized for allowing "hate raids" by swarms of users against other specific users. Fed-up Twitch users organized a "Twitch strike (opens in new tab)" this past Sept. 1 to protest what they saw as Twitch's inaction.
The leaked data is said to include all of Twitch's source code dating back to the launch of the service; streamer payouts going back to 2019; code for the desktop, mobile and gaming-console Twitch client software; code for other Twitch-owned properties, including SourceForge; and the Vapor software, which Video Games Chronicle said had been created by Amazon Game Studios.
Troy Hunt, who runs the password-checking site HaveIBeenPwned (opens in new tab), posted a list of the files in the Twitch data stash (opens in new tab) on GitHub.
Possibly most concerning was the leak of Twitch's own "red teaming" tools used by in-house hackers to test the security of Twitch.
"If true, this would likely include phishing lures known to be successful against Twitch employees, the hacking playbook," tweeted Rachel Tobac (opens in new tab), CEO of Social Proof Security. "If you work at Twitch, be politely paranoid about messages, requests, etc."
Twitch has allegedly been hacked and leaked. Many streamers confirming personal data from the leak to be accurate. If you’re a streamer and had your payout data leaked, ensure your financial services have strongest MFA available on, threat model is now sadly elevated even more. https://t.co/1SeyhrUPVxOctober 6, 2021
The data appears to be legitimate, according to various reports on Twitter. Several creators said the payout data matches what Twitch has indeed paid them over time. Catalin Cimpanu (opens in new tab), a reporter for The Record, tweeted that a former Switch engineer had told him the data was real.
Update: Twitch says no passwords at risk
Late on Wednesday (Oct. 6), Twitch posted on its blog (opens in new tab) that "some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party."
"At this time, we have no indication that login credentials have been exposed," the post continued. "Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed."
Twitch updated the blog post Thursday (Oct. 7) to say that it had reset all stream keys. Some Twitch streamer may need to manually update their client software — details are in the blog post.
That's nice to hear about the login credentials (usernames and passwords), though we still think all Twitch users need to reset their passwords and enable 2FA on their accounts anyway. We don't know if this will be the last batch of Twitch data to be dumped online.
Also, we'd like to know more about those credentials, such as if and how they were stored and secured.
Meanwhile, "full credit card numbers" implies that credit card numbers were partly exposed. That could mean that Twitch stores the last four digits of a number in plaintext.
We reached out to our Twitch contact, who told us that the company could not comment further, but that more updates to its blog would be coming.