Twitch admits that source code, creator earnings, are prone to major leaks

Twitch admits that source code, creator earnings, are prone to major leaks

Aurich Lawson / Getty Images

Live video broadcasting service Twitch has been hit by a massive hack that revealed 125 GB of company data. In a 4chan thread that was published (and removed) on Wednesday, an anonymous user posted a torrent file of the multi-gig data dump. The dump contains the company’s source code and information about money earned by Twitch creators.

Twitch admits to having violated, but is unsure of “scope”

In a 4chan post seen by Ars today, an anonymous user claimed to have leaked 125 GB of data that was removed from 6,000 internal Twitch Git repositories. The forum poster mocked Amazon’s acquisition of Twitch and wrote: “Jeff Bezos paid $ 970 million for this, we’re giving it away for FREE.”

A 4chan user posted a torrent on a 125 GB data dump.
Enlarge / A 4chan user posted a torrent on a 125 GB data dump.

The hacker wrote that the purpose of the leak was to cause disruption and promote competition between video streaming platforms. The hacker further said that Twitch’s “community is a disgusting, toxic cesspool.”

Twitch has acknowledged the breach but has not answered Ars’ question. At this point, it seems that even Twitch is not aware of the full extent of the breach, as the company is still working on the details:

Earnings from the best Twitch creators revealed

The same thread on 4chan also claimed to reveal “creator payout reports from 2019 to now. Find out how much your favorite streamer really earns!”

In particular, the 125 GB archive has the title “Part One”, alluding to the possibility of future leaks.

A small subset of data seen by Ars shows the earnings of the top 10,000 Twitch users next to their usernames. An updated list was submitted by the game creator Last night, and a Twitter user who analyzed the dump posted a detailed summary of the payouts:

An anonymous Twitch source confirmed to the Video Games Chronicle that the leaked data, including Twitch’s source code, is legitimate. According to the company’s source, the data was obtained as late as Monday.

The 4chan poster claims that the leaked data dump contains:

  • Entire source code, with commit history from the beginning
  • Creator payout reports from 2019
  • Mobile, desktop and video game console Twitch clients
  • Proprietary SDKs and internal AWS services used by Twitch
  • Data from “all other properties owned by Twitch”, including IGDB and CurseForge
  • Information about an unreleased Steam competitor (“Vapor”) from Amazon Game Studios
  • Twitch’s internal “red teaming” tools used by SOC (security) teams

The dump allegedly also contains Unity source code for a game called “Vapeworld. “

Portions of the leaked archive are large and contain large ZIP files, and it may take days before the full extent of the breach is understood:

Twitch data dump
Enlarge / Twitch data dump “Share a” content.

Some Twitter users also claimed to see encrypted passwords present in the dump, urging Twitch users to enable two-factor authentication and change passwords as a security measure.

The hack puts more bad news on Twitch’s plate and follows a recent and long-awaited public response to hate raid questions. During such raids, vulgar and hate speech is dumped into the site’s prominent chat feeds by users and bots.

Interestingly, NBC’s technology research reporter Olivia Solon says that all of Amazon’s storage systems were affected by a network interruption last night, though the company will not confirm whether this event was linked to the Twitch hack.

According to Solon:

Amazon warehouse workers across the United States could not work for at least two hours last night because their internal software crashed and none of their scanners would work.

All Amazon wants to say is that it was a “network outage that was quickly resolved.”

Amazon’s acquisition of Twitch in 2014 maintained that the company would operate “independently” of Amazon. As such, it is not clear whether Twitch runs its own server stack or uses Amazon’s rack space.

Leave a Comment