An unknown hacker has leaked the entirety of Twitch’s source code among a 125GB trove of data released this week.
The hack, first reported by Video Games Chronicle and confirmed by multiple sources, includes:
The entirety of twitch.tv, with commit history going back to its early beginnings
Mobile, desktop and console Twitch clients
Creator payout reports from 2019
Proprietary SDKs and internal AWS services used by Twitch
Every other property that Twitch owns including IGDB and CurseForge
An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios
Twitch SOC internal red teaming tools
The hacker, who called themselves “Anonymous” on a 4chan discussion board, said Twitch’s community is “a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them, and in part one, are releasing the source code from almost 6,000 internal Git repositories.”
“Jeff Besos paid $970 million for this, we’re giving it away FOR FREE. #DoBetterTwitch,” the hacker added.
Twitch and Amazon, which owns the company, did not respond to requests for comment.
#DoBetterTwitch has trended for weeks as the platform has faced backlash for allowing “hate raids” — where the comment sections of minority gamers are overwhelmed by slurs and abuse. Twitch was forced to address the issue in a Twitter thread in August and pledged to do more about racial abuse.
“This is not the community we want on Twitch, and we want you to know we are working hard to make Twitch a safer place for creators. Hate spam attacks are the result of highly motivated bad actors, and do not have a simple fix,” Twitch said. “Your reports have helped us take action-we’ve been continually updating our sitewide banned word filters to help prevent variations on hateful slurs, and removing bots when identified.”
The words did little to quell outrage and gamers held a protest last month, boycotting the site for 24 hours due to the company’s inaction on “hate raids.”
Public reaction to the leak has focused on the massive earnings of popular gamers — which reached the millions for some. In an interview with BBC News, Fortnite streamer BBG Calc confirmed that the earnings seen in the leak was correct and other high earners backed it up.
There was also a significant amount of business information from Amazon released in the hack, including the company’s plans for a rival to gaming platform Steam called Vapor.
Others raised severe concerns about the security of the platform and the many bank accounts connected to it.
SocialProof Security CEO Rachel Tobac warned streamers to ensure their financial services have the strongest MFA available because they will now be targets for other hackers and scammers.
“For streamers with payout data leaked, this includes Venmo, CashApp, Bank, etc. If hardware based MFA is an option, move to that by end of day (though many banks still don’t offer security key options). If security key not an option, move to app-based MFA rather than SMS-based,” Tobac wrote.
“Intruders supposedly leaked Twitch internal red team tools & threat models — brutal. If true, this would likely include phishing lures known to be successful against Twitch employees, the hacking playbook. If you work at Twitch, be politely paranoid about messages, requests, etc.”
All of Twitch’s red team security measures are now widely available, providing hackers with untold information about how to invade the company and those connected to it, she added.
Among the files leaked, experts were focused on the folders “core config packages,” “devtools,” (developer tools) “infosec,” (information security).