In an attempt to “promote more disruption and competition in the online video streaming space”, an anonymous hacker has leaked all of Twitch’s source code and creator earnings. The leak also includes information about an unreleased Steam competitor and data related to Twitch’s security tools. And unfortunately, this is just “part one” of an ongoing gigaleak.
Wrapped in a 125GB torrent, this leaked data was first shared on a 4chan thread on the morning of October 6th. Reliable sources have verified its authenticity to Video Game Chronicle and The edge, and Twitch confirms that it has suffered a data breach (it has not verified the authenticity of the leak). Some files in this leak were last modified on October 4, a sign that Twitch may have been hacked a few days ago.
All of Twitch’s source code is included in this leak, and it includes the source code for the platform’s mobile, desktop, and console clients. Shockingly, this source code is so complete that it contains full “commit history” from the company’s developers – that is, notes made to indicate changes made in the Twitch backend.
We can confirm that a breach has occurred. Our teams work with urgency to understand the extent of this. We will update the community as soon as more information is available. Thank you for carrying with us.
– Twitch (@Twitch) October 6, 2021
Internal Twitch security tools also appear in the leak. The most notable (so far) is Twitch’s “red teaming system”, which allows moderators to pretend to be hackers. We still do not know if any harmful security tools are hidden in this leak.
And if you’ve ever wondered how much your favorite streamer earns, you’ll probably find out on social media. This leak contains three years of payout data for Twitch creators. Some streamers have already verified that this leaked financial data matches their earnings, although we are still not sure if this data is all-inclusive or focuses on only a fraction of Twitch streamers.
There are also a few quirks here. Because this leak contains all properties owned by Twitch, such as CurseForge, it reveals some unpublished projects. The most notable is called Vapor, a gaming market with a working title that clearly refers to Steam.
Some Vapeworld assets, including some 3D emotes with specular and albedo maps
I have not installed the version of device that they used, so I am limited to what assets I can get caps off with things like blender and renderdoc.
There are also custom device plugins here for devs. pic.twitter.com/6y4woQDcst
– Last night (@ Sinoc229) October 6, 2021
Early analysis of Vapor data shows that Twitch is working on something called Vapeworld– unfortunately (or unfortunately, depending on your priorities), this game has nothing to do with smoking cessation. It’s a VR chat client full of weird 3D Bob Ross emojis. We’re not sure if Vapeworld is an abandoned project or work in progress, but its files were last modified this week.
The hacker who shared this data made it clear for altruistic reasons, referring to Twitch as a “disgusting cesspool” that inhibits competition in the “video streaming space.” As such, the leak does not contain lots of personal data (apart from streamers earnings). It appears that the hacker intentionally omitted this data to protect users.
But any data breach is dangerous, and some analysts say encrypted user passwords are part of this leak (although these claims have not been verified). Not to mention, hackers could use the Twitch source code to find vulnerabilities in its security system, and we’re still waiting for “part two” of this leak, which could target Twitch users instead of targeting the company.
I strongly suggest changing your Twitch password and enabling two-factor authentication on your account. And if you want to be extra secure, I suggest you do the same with your Amazon account, which may be linked to Twitch depending on how you signed up.
Source: VGC, The Verge