Interactive livestreaming platform Twitch acknowledged a "breach" after an anonymous poster on the 4chan messaging board leaked its source code, an unreleased Steam competitor from Amazon Game Studios, details of creator payouts, proprietary software development kits, and other internal tools.
The Amazon-owned service said it's "working with urgency to understand the extent of this," adding the data was exposed "due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party."
Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.Join Now
"At this time, we have no indication that login credentials have been exposed," Twitch noted in a post published late Wednesday. "Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed."
The forum user claimed the hack is designed to "foster more disruption and competition in the online video streaming space" because "their community is a disgusting toxic cesspool." The development was first reported by Video Games Chronicle, which said Twitch was internally "aware" of the leak on October 4. The leak has also been labeled as "part one," suggesting that there could be more on the way.
The massive trove, which comes in the form of a 125GB Torrent, allegedly includes —
- The entirety of Twitch's source code with commit history "going back to its early beginnings"
- Proprietary software development kits and internal AWS services used by Twitch
- An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios
- Information on other Twitch properties like IGDB and CurseForge
- Creator revenue reports from 2019 to 2021
- Mobile, desktop and console Twitch clients, and
- Cache of internal "red teaming" tools designed to improve security
The leak of internal source code poses a serious security risk in that it allows interested parties to search for vulnerabilities in the source code. While the data doesn't include password related details, users are advised to change their credentials as a precautionary measure and turn on two-factor authentication for additional security.