Big tech and data breaches are becoming inseparable. We’ve been getting news of breach after breach since early this year. Nearly every tech space from Facebook to Neopets has been breached in the recent past. The latest platform added to that list is the popular streaming platform – Twitch.
Twitch’s data breach could be one of the largest to date. A whopping 125GB of data was uploaded to a (now removed) thread on 4Chan by an anonymous user. The data contained within the files date back to the early beginnings of Twitch. Everything from the platforms source code to their most recent Git commits has been uploaded. Together with this, payout information to the platform’s largest creators since 2019 have also been uploaded.
In addition to this data, the leak also contains data on Twitch’s network backbone which runs on AWS. It apparently contains some proprietary SDKs (Software Development Kits) and also information on “Every other property that Twitch owns” including IGDB and CurseForge. It seems like an unannounced competitor to Steam called Vapor for Amazon Game Studios is also contained within the files. Basically, it seems like everything and anything related to Twitch is within the 125GB.
Some users who have been looking through the data have also found that encrypted passwords and user information. So, it goes without saying that you should change your Twitch password if you have an account and activate two-factor authentication. You can do this in the privacy settings on Twitch itself.
The leaker made their motives crystal clear in their post. Noting, “Their community is also a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them.” The hackers also ended the post with #DoBetterTwitch. More worryingly, the 125GB of data was labelled as “part one” which indicates there could be more incoming.
It’s probably apt to mention that the leak comes in the wake of the #ADayOffTwitch protest by creators who are trying to get the platform to take hate raids more seriously. The platform has been plagued by users who have used the Raid and tags features to actively harass others. While Twitch has been trying to be proactive, the most it has done is provide streamers with tools to try to control raids and even sue perpetrators.
The breach has since been confirmed by Twitch itself on Twitter.
A cybersecurity firm, Acronis, has chimed in calling the breach “one of the most severe data breaches of late”. In fact, they say that there is, “a lot more damage now in store for Twitch”. Candid Wuest, Vice President of Cybersecurity Research at Acronis, also noted that “While [it is] yet unclear how the breach happened, it’s already harming Twitch on all the fronts that count – revenue, operations, users, influencers, market positioning.” He also noted that Twitch could be at greater risk as the availability of the source code will make it easier for malicious actors to attack the site. More importantly, the company is advising that users be wary and change their passwords as well as activate two-factor authentication on their accounts.
“Leaked data could contain nearly the full digital footprint of Twitch, making it one of the most severe data breaches of late. The 125 GB of data leaked so far might just be the start, according to the comments of the attacker. Internal network plans and marketing plans for future products could now be misused by attackers or sold to competitors. If the source code is exposed, we will see a spike in vulnerabilities discovered in related software. Having access to the source code makes it easy to find weak spots.“
Candid Wuest, Vice President of Cybersecurity Research, Acronis
