What’s going on with the Twitch hack?

7 Oct 2021

Image: © Andrea/Stock.adobe.com

A massive hack has leaked sensitive company and user data to the public, but login and credit card details seem to be safe.

Popular game-streaming website Twitch has been the victim of a hack that has publicly leaked more than 100GB of data on the internet.

Data includes the earning figures of top creators, company source code, technical details of upcoming products, and internal server details that only employees could access.

While Twitch has not confirmed the details of leaked data, it confirmed the breach itself in a tweet yesterday (6 October) and said it was working with “urgency” to determine the extent of the leak.

In a blogpost, the Amazon-owned company said that there was no indication of login credentials being compromised. “Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed,” it wrote.

But cybersecurity experts are urging users of the platform to take immediate precautionary steps to keep their accounts safe.

What happened?

According to cybersecurity company Malwarebytes, a 125GB torrent file was posted on popular online forum 4chan that claimed to contain important Twitch data. The file was named ‘Part 1’, indicating that more leaks might be on the way.

The data leaked includes source code for Twitch on desktop, mobiles and consoles, creator earnings for the past three years, information on an unreleased competitor to gaming service Steam, data on Twitch properties, and internal security tools.

Some Twitch streamers whose earnings were featured in the leak told BBC News that the figures posted in the file were accurate. Fortnite streamer BBG Calc said: “The earnings list got my figure 100pc correct.”

Twitch posted an update on its website today (7 October) blaming the leak on an error in its server configuration.

“We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party. Our teams are working with urgency to investigate the incident,” the company wrote.

What should Twitch users do?

Malwarebytes has suggested that users take precautionary steps. Users should log into their Twitch accounts and change their existing passwords immediately. If the previous password had been used for other accounts, users should change those passwords too.

For an additional layer of security, Malwarebytes said users should enable two-factor authentication on Twitch if it is not enabled yet. This will make it harder for malicious parties to enter accounts even if they have access to the password.

In a further update this morning, Twitch said it has reset all stream keys “out of an abundance of caution”. Users can get their new stream key here.

“Depending on which broadcast software you use, you may need to manually update your software with this new key to start your next stream,” it added.

What’s next?

Malwarebytes said that while there isn’t a sign of passwords being leaked yet, it is “highly possible” that these are being saved for a potential ‘Part 2’ of the data leak.

Since the data was posted anonymously, those behind the attack have not been identified. However, the anonymous account called out Twitch for being a “disgusting toxic cesspool” and said the leak was intended to “foster more disruption and competition” in the streaming space.

“Twitch’s most valuable data is now out in the open. Akin to KFC losing its secret recipe, what made its offering unique is now available to its competitors,” said John Vestberg, CEO of Swedish cybersecurity company Clavister.

“For Twitch, this certainly calls for an internal review of its data and security protocols and is another warning to others.”

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Vish Gain is a journalist with Silicon Republic