Skip to main content

Massive Twitch data breach reveals source code — what you need to know [updated]

How to do a charity stream on Twitch
(Image credit: Shutterstock)

Updated with additional information from Twitch.

Twitch, the streaming and chat platform used by millions of online gamers and owned by Amazon, seems to have been seriously hacked. 

An anonymous post to 4chan early today (Oct. 6) linked to a 125GB stash of data that seems to contain Twitch source code and financial information, including the amount paid out to streamers, reports Video Games Chronicle.

Also apparently included was source code for Vapor, a competitor to Steam that Twitch has been rumored to be working on. We've got a separate story on that.

In response to a query from Tom's Guide, Twitch gave us this statement:

"We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us."

An identical statement was tweeted earlier today by the official Twitch account.

It's not clear if passwords, usernames or credit-card numbers were leaked, but the posted data is labeled "Part I," implying more may be on the way. One Twitter user said the data included "encrypted passwords," but no one else who's seen the data has said so.

If you have a Twitch account, you should probably change your password immediately just as a precaution. Make it unique and strong. Then turn on Twitch's two-factor authentication if you haven't already enabled it.

If you get paid by Twitch, check activity on whichever account you have that Twitch pays into. Choose the strongest available security settings on that account too.

The 4chan poster who linked to the data torrent said that the Twitch community "is a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them, and in part one, are releasing the source code from almost 6,000 internal Git repositories."

See more

Twitch has been criticized for allowing "hate raids" by swarms of users against other specific users. Fed-up Twitch users organized a "Twitch strike" this past Sept. 1 to protest what they saw as Twitch's inaction.

The leaked data is said to include all of Twitch's source code dating back to the launch of the service; streamer payouts going back to 2019; code for the desktop, mobile and gaming-console Twitch client software; code for other Twitch-owned properties, including SourceForge; and the Vapor software, which Video Games Chronicle said had been created by Amazon Game Studios. 

Troy Hunt, who runs the password-checking site HaveIBeenPwned, posted a list of the files in the Twitch data stash on GitHub.

Possibly most concerning was the leak of Twitch's own "red teaming" tools used by in-house hackers to test the security of Twitch. 

"If true, this would likely include phishing lures known to be successful against Twitch employees, the hacking playbook," tweeted Rachel Tobac, CEO of Social Proof Security. "If you work at Twitch, be politely paranoid about messages, requests, etc."

See more

The data appears to be legitimate, according to various reports on Twitter. Several creators said the payout data matches what Twitch has indeed paid them over time. Catalin Cimpanu, a reporter for The Record, tweeted that a former Switch engineer had told him the data was real.

Update: Twitch says no passwords at risk

Late on Wednesday (Oct. 6), Twitch posted on its blog that "some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party."

"At this time, we have no indication that login credentials have been exposed," the post continued. "Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed."

Twitch updated the blog post Thursday (Oct. 7) to say that it had reset all stream keys. Some Twitch streamer may need to manually update their client software — details are in the blog post.

That's nice to hear about the login credentials (usernames and passwords), though we still think all Twitch users need to reset their passwords and enable 2FA on their accounts anyway. We don't know if this will be the last batch of Twitch data to be dumped online.

Also, we'd like to know more about those credentials, such as if and how they were stored and secured. 

Meanwhile, "full credit card numbers" implies that credit card numbers were partly exposed. That could mean that Twitch stores the last four digits of a number in plaintext.

We reached out to our Twitch contact, who told us that the company could not comment further, but that more updates to its blog would be coming.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.