Update 1: Twitch believes login credentials have not been exposed (October 7th, 2021):
Twitch posted a statement on their blog that, “At this time, we have no indication that login credentials have been exposed.” Additionally, as credit card details are not stored by Twitch, they have ruled out exposure. We recommend changing your password and to enable multi-factor authentication, even with this latest statement.
Original Post (October 6th, 2021):
The video streaming platform Twitch has some motivated enemies. An anonymous user on the discussion board 4chan shared a torrent file compromising a large collection of data ranging from Twitch source code to payout figures of top streamers. The hacker believed Twitch had failed to reign in hateful content spread in Twitch chats and concluded that “their community is a disgusting toxic cesspool.”
The alleged data (from the hackers 4chan post):
- Entirety of twitch.tv, with commit history going back to its early beginnings
- Mobile, desktop and video game console Twitch clients
- Various proprietary SDKs and internal AWS services used by Twitch
- Every other property that Twitch owns including IGDB and CurseForge
- An unreleased Steam competitor from Amazon Game Studios
- Twitch SOC internal red teaming tools (lol)
- AND: Creator payout reports from 2019 until now. Find out how much your favorite streamer is really making!
While the streamer payouts have garnered a lot of attention (with this website created for said topic), there was a lot more sensitive data released. Source code and new products yet to be released are among a few of the big items exposed today. We can assume that threat actors, opportunists, and curious researchers have begun reviewing the source code and are seeking new vulnerabilities, big and small. Twitch will have a lot of work ahead of them.
What if you are a Twitch user? The hacker referred to this as “part one” of the data they planned to release. Some researchers have already claimed to have found hashed passwords in the released file, and the serious extent of this compromise doesn’t give comfort to those worrying about the integrity of Twitch consumer credentials (if yet to be released). We recommend changing your password and to enable multi-factor authentication if you have not yet done so. When in doubt about any account that may have been compromised, go ahead and update the password and review your account security measures.