Aurich Lawson / Getty Images
The live video streaming service Twitch has been hit by a massive attack that exposed 125GB of the company’s data. In a 4chan thread posted (and deleted) on Wednesday, an anonymous user posted a torrent file of the multi-gig data dump. The dump contains the company’s source code and details of the money earned by the creators of Twitch.
Twitch admits to infraction, but is unsure of “scope”
In a 4chan post seen by Ars today, an anonymous user claimed to have leaked 125GB of data pulled from 6,000 internal Twitch Git repositories. The forum poster poked fun at Amazon’s acquisition of Twitch and read, “Jeff Bezos paid $ 970 million for this, we’re giving it away for FREE.”
Enlarge / A 4chan user posted a torrent of a 125GB data dump.
The hacker wrote that the purpose of the leak was to cause disruptions and promote competition between video streaming platforms. The hacker further said that the “Twitch community is a toxic and disgusting cesspool.”
Twitch has admitted the infringement, but has not responded to Ars’ questions. At this point, it appears that even Twitch is not aware of the full extent of the breach, as the company is still working on the details:
We can confirm that a violation has occurred. Our teams are working urgently to understand the scope of this. We will update the community as soon as additional information is available. Thanks for supporting us.
– Twitch (@Twitch) October 6, 2021
Earnings for Top Twitch Creators Revealed
The same thread on 4chan also claimed to expose “Creator pay reports from 2019 to now. Find out how much your favorite streamer is actually making!”
In particular, the 125GB file is titled “Part One”, alluding to the possibility of future leaks.
A small subset of the data seen by Ars shows the earnings of the top 10,000 Twitch users alongside their usernames. An updated list was aware by the creator of the game Sinoc, and a Twitter user who analyzed the dump posted a detailed breakdown of the payments:
Anonymous Twitch source confirmed Chronicle of videogames that the leaked data, including the Twitch source code, is legitimate. According to the company’s source, the data was obtained as recently as Monday.
The 4chan poster claims that the leaked data dump contains:
- Entire twitch.tv source code, with commit history from the beginning
- Payment reports for creators as of 2019
- Twitch clients for mobile, desktop and gaming consoles
- Proprietary SDKs and internal AWS services used by Twitch
- Data for “all other properties owned by Twitch,” including IGDB and CurseForge
- Information about an unreleased Steam competitor (“Steam”) from Amazon Game Studios
- Internal Twitch “Red Teams” Tools Used by SOC (Security) Teams
The dump reportedly also contains the Unity source code for a game called “Vapeworld. “
Some parts of the leaked archive are huge and contain large ZIPs, and it may take days before the full scope of the violation is understood:
Enlarge / Twitch data dump with “Part One” content.
Some Twitter users also claimed to see encrypted passwords present in the dump and are urging Twitch users to enable two-factor authentication and change passwords as a security measure.
The hack puts more bad news on Twitch’s plate and follows a recent and long-awaited public response to hate raid issues. During such raids, users and bots pour vulgar and hate speech into the main chat channels of the site.
Interestingly, NBC tech research reporter Olivia Solon says that all of Amazon’s storage systems were affected by a network outage last night, although the company will not confirm if this event was related to the Twitch hack.
According to Solon:
Workers at Amazon warehouses in the US were unable to work for at least two hours last night because their internal software crashed and none of their scanners were working.
All Amazon will say is that it was a “network outage that was quickly resolved.”
Amazon’s acquisition of Twitch in 2014 maintained that the entity would operate “independently” from Amazon. As such, it’s unclear whether Twitch runs its own server stack or uses Amazon’s rack space.