Twitch source code and streamers’ and users’ sensitive information were allegedly leaked online by an anonymous user on the 4chan imageboard.
The leaker shared a torrent link leading to a 125GB archive containing data allegedly stolen from roughly 6,000 internal Twitch Git repositories.
“Their community is also a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them, and in part one, are releasing the source code from almost 6,000 internal Git repositories,” the post reads.
According to the anonymous 4chan user, the leaked Twitch data contains:
- The entirety of twitch.tv, with commit history going back to its early beginnings
- Mobile, desktop, and video game console Twitch clients
- Various proprietary SDKs and internal AWS services used by Twitch
- Every other property that Twitch owns, including IGDB and CurseForge
- An unreleased Steam competitor from Amazon Game Studios
- Twitch SOC internal red teaming tools (lol)
- Creator payout reports from 2019 until now.
The anonymous poster named his thread “twitch leaks part one,” which hints at further stolen Twitch data likely being leaked in the future.
BleepingComputer downloaded a portion of the leaked data and can confirm that it looks authentic and matches what was disclosed by the hacker.
The leak was likely a direct reply to Twitch’s lack of response and effective tools to fend off hate raids targeting streamers in August, given that the anonymous leaker also used the #DoBetterTwitch hashtag.
This hashtag was used on Twitter by streamers who shared how their Twitch stream chats were being flooded with harrassment bots.
Twitch eventually acknowledged the issue and said it will launch account verification and channel-level ban evasion detection tools later this year.
“Thank you to everyone who shared these difficult experiences. We were able to identify a vulnerability in our proactive filters, and have rolled out an update to close this gap and better detect hate speech in chat.,” the company said.
A Twitch spokesperson confirmed over email that “a breach has taken place” after this article was published.
We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.
— Twitch (@Twitch) October 6, 2021
Update: Added more info regarding the hackers’ motivation.