Well that’s bad. Twitch, the popular streaming site, appears to have been hacked. An anonymous leaker on the 4chan message boards posted a 125GB torrent allegedly containing the source code for the streaming service, along with payout information for creators and details on an unreleased Amazon Steam rival called “Vapor”.
You can’t take their word for anonymous hackers, but the Record’s well-known security journalist Catalin Cimpanu downloaded some of the files and confirmed that “the contents of the leak match what the hacktivists allegedly shared”. The security researcher Troy Hunt has meanwhile put together a twitter thread from various Twitch streamers confirming the payout data is legitimate and Video Game Chronicles says “an anonymous corporate source” told them that “the leaked data is legitimate, including the source code for Amazon’s own streaming platform” .
We asked Twitch for confirmation, but this hack definitely seems to be real. We will not link to the torrent. The files allegedly contain a treasure trove of deeply rooted secrets, including:
- Payout information for three years to YouTubers
- Twitch source code “with a commit history that goes back to its early beginnings”
- Source code for Twitch’s desktop, console, and mobile game clients
- An unreleased Steam competitor code-named “Vapor” from Amazon Game Studios
- Information on other properties that Twitch has, such as CurseForge, along with SDK and internal Amazon Web Services tools used by Twitch
The poster said the leak was intended to “encourage more disruption and competition in online video streaming,” as the Twitch community is “a disgusting, toxic cesspool.”
Fortunately, user passwords don’t seem to be part of the files, but the leak has been labeled “Part 1” and Cimpanu notes that the torrents contain folders that “contain information about Twitch’s user identity and authentication mechanisms, admin management tools, and data from” Twitch’s in-house security team, including whiteboard threat models describing various pieces of Twitch’s back-end infrastructure. “
Between this information and the fact that the source code for the site and its various clients has been released, we highly recommend changing your Twitch password and enabling two-factor authentication for the site, just in case any user credentials have been or will be compromised. somehow. Go to Twitch’s security settings page to customize both. Our guides to the best password managers and 2FA solutions can help you put in place strong protections if you are unfamiliar with either technology. They are both vitally important in the modern world, where ruptures keep coming back.
And if you’re a content creator who streams on Twitch, make sure your banking information also uses a strong, unique password and is protected with two-factor authentication where possible. This leak should not jeopardize them in any way, but better safe than sorry.