Online streaming service Twitch.TV has been the victim of a hacking incident. Twitch has confirmed the latest hack of 128GB of data which has been leaked online. Twitch.TV is a website that allows people to broadcast gaming-related content in real-time.
Details of the hack first emerged on a public forum known as 4chan, with the anonymous poster sharing a bit torrent download link. Although the original post has been removed, the torrent download file is still readily available for download.
The massive 128GB of data seems to include:
- The complete source code of Twitch, including comments, stretching back to its beginnings.
- Payout information from Twitch’s top creators
- Twitch clients for mobile, desktop, and video game consoles
- Proprietary SDKs and internal AWS services used by Twitch
- Every other property that Twitch owns
- An unreleased Steam competitor from Amazon Game Studios
- Twitch internal ‘red teaming’ security tools
In the 4chan post, the anonymous leaker claims to have published the data to “foster more disruption and competition in the online video streaming space” and referenced Twitch as being “a disgusting toxic cesspool.” The leaker goes on to say that “Jeff Bezos paid $970 million for this, we’re giving it away for free.”
The 128GB torrent file published as “twitch-leaks-part-one” implies that there will be subsequent data dumps over time.
No user account information or passwords were leaked in this data dump, and it is yet to be seen if this will be leaked in future data dumps. Anyone with a Twitch account is advised to change their password immediately.
Additional information such as private keys used to sign their JWT’s (JSON Web Token), as well as Slack-bot tokens, were found in the data dump.
The payouts files included in the dump go back to 2013 and identify users by their user identification number. According to the records, many streamers did not receive any money, while others received hundreds of thousands of dollars.
The only public comment that Twitch has made available is a tweet confirming a breach has taken place: