Twitch Confirms Source Code Leak
Twitch has confirmed that it has suffered a major data breach, and that a hacker accessed the company’s servers thanks to a misconfiguration change. A huge cache of source code repositories, creator payouts and other internal data from Twitch has been published online after a data breach.
Twitch admits a hacker was able to access data that was mistakenly exposed to the internet “due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.” It’s not clear how much data has been accessed, though. Twitch says it’s still working to understand its security breach, and it appears that some users are being asked to change their passwords.
While Twitch is still investigating and says there’s no indication login details were exposed, we’d still recommend changing your Twitch password and enabling two-factor authentication if you haven’t already done so.
The company says it has “no indication that login credentials have been exposed,” and that “full credit card numbers were not exposed.” A Twitch spokesperson on Twitter said, “We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available.”
Hackers have so far leaked data that includes source code for the company’s streaming service, an unreleased Steam competitor from Amazon Game Studios, and details of creator payouts. An anonymous poster on the 4chan messaging board released a 125GB torrent earlier today, which they claim includes the entirety of Twitch and its commit history.
Several Twitch streamers have confirmed that the leaked records match their own. One user said, “I looked at a line from June 2019 and literally 100% match to the information showing on my analytics on my dashboard.” The leak of internal source code could also represent a security risk, since it now allows practically anyone to search for security vulnerabilities in the code.
The Twitch leak will be damaging for the game streaming service either way and particularly for creators who rely on Twitch to keep their earnings and information secure. The hack follows weeks of protest for Twitch to improve its service under the #DoBetterTwitch movement. Twitch streamers also took a day off in August to protest against the company’s lack of action against hate raids.
The leak has been labeled as “part one,” suggesting that there could be more to come. While personal information like creator payments is included, this initial leak doesn’t appear to include passwords, addresses, or email accounts of Twitch users. Instead, the leaker appears to have focused on sharing Twitch’s own company tools and information, rather than code that would include personal accounts.