A massive data breach of video streaming service Twitch has exposed just about everything possible that could be taken from its internal network. The 125 GB torrent, posted on a public website for anyone to download, has been confirmed by Twitch and is only the “first part” of forthcoming materials according to the anonymous leaker.
Twitch data breach exposes entire platform to the public
The data breach appeared as a 125 GB torrent link posted to popular message board 4Chan on Wednesday. The anonymous leaker accompanied the torrent link with a message that indicates that this is more of an activist action than an attempt at cyber crime; captioning the initial post with a picture of a surprised Jeff Bezos (Amazon purchased Twitch for $970 million in 2014), the leaker called Twitch a “disgusting toxic cesspool” and exhorted the company to “do better.”
Founded as the gaming specialty channel of pioneering streaming service Justin.tv in 2007, Twitch quickly took on a life of its own as the world’s premier online destination for eSports broadcasting. It is also the leading site for “streamers” who make a living recording themselves playing video games online. The site is one of the busiest in the world, regularly drawing numbers that put it in the company of services like Netflix and YouTube.
The leaker claims that the source code was taken from over 6,000 internal GitHub repositories. According to the initial 4Chan post, the data breach contains just about every piece of proprietary code one could want from Twitch: the service’s clients for various platforms, all of the code for the twitch.tv site dating back to its inception, internal AWS services, proprietary SDKs, code for properties that Twitch has acquired (such as modding site CurseForge and the Internet Game Database), internal security “red teaming” tools for simulating attacks, and initial code for an online gaming platform called Vapor (comparable to Steam) that Amazon currently has in development.
There are conflicting reports about whether encrypted or hashed passwords are included. The initial 4Chan post does not mention this, but some social media users claim to have found some while combing through the torrent. Regardless of whether or not user login information is included, all Twitch users are advised to change their password and ensure two-factor authentication is implemented as more leaked data may be coming down the pipe.
In addition to the absolute pile of code, the data breach included tables revealing how much the platform’s streamers make each month. While this did not include financial information or personal documents, it quickly became a popular piece of gossip around the internet as it was revealed that broadcasting yourself playing video games can make you a millionaire; in fact, 81 people have made more than $1 million since August 2019. The biggest earners, the Critical Role channel, are close to cracking $10 million.
Twitch confirmed that the data breach was legitimate in a tweet on Wednesday, saying that it is “working with urgency” to measure the extent of the damage. The company reset all stream keys on Thursday as a safety precaution and asked content creators to obtain new ones.
Jarno Niemela, Principal Researcher for F-Secure, advises anyone with a Twitch account to act as if anything they’ve ever typed into the platform is going to eventually be leaked: “As the attacker indicated that they have not yet released all the information they have, anyone who has been a Twitch user should review all information they have given to Twitch, and see if there are any precautions they need to make so that further private information isn’t leaked.And while it won’t help in this case as data has already leaked, users should always be cautious on what kind of information they provide to any social media platform.”
Why would activist hackers target Twitch?
While cyber crime has been very much on the rise since the start of the pandemic, this sort of massive public data breach is more reminiscent of the LulzSec attacks in 2011 that compromised targets such as Sony and Fox Broadcasting for seemingly no reason other than personal amusement.
While the leaker has yet to get into specifics about their motivations, the timing would indicate that it has something to do with mounting discontent among streamers over harassment. On September 1, a number of high-profile streamers organized a virtual walkout for the day in protest of the platform’s failure to protect them from organized “hate raids” that disrupt broadcasts. Often driven by bots, hate raids involve flooding a stream with negative comments to push out legitimate chat users.
The leaker’s 4Chan post may refer to the #TwitchDoBetter hashtag that creators have rallied under to protest Twitch’s lack of safety and moderation. However, doxxing these same creators and putting the platform itself in peril via massive data breach would certainly be an unusual protest strategy.
There are other reasons that people might engage in hacktivism against Twitch, though there are no clear links to anything but the “do better” movement to protect creators as of yet. The platform has angered many in recent years for its heavy-handed and sometimes capricious policing of stream content, issuing bans for the use of words that are off-color but not profane and taking flak from conservatives over perceived political bias (former president Trump had his channel streaming live rallies banned from the platform). Creators have also expressed discontent over the platform’s sexual content policies. Nominally banned, some creators feel that certain streamers are abusing the system by wearing revealing clothing during streams; essentially a “peep show” under the ruse of watching a video game. Streamers in bikinis became so common that Twitch created a dedicated “Hot Tub, Pool and Beach” channel earlier this year for streams of this nature.