I don’t normally do news-type posts, but this is serious. On Wednesday, a 125-gigabyte torrent link was posted to 4chan that contained “The entirety of Twitch”. The leaker stated that it was to “foster more disruption and competition in the online video streaming space” and followed with “their community is a disgusting toxic cesspool”. This is a massive Twitch Data Breach, unlike anything it has experienced in the past.
Twitch is aware of the breach, and it is believed that the data is as recent as Monday, October 4th, 2021.
Table of Contents
What was Leaked in the 2021 Twitch Data Breach?
According to Sinoc229 on Twitter, Pretty much all of Twitch.
Leaks Relevant to You
- Encrypted Passwords? (Update, according to a followup article on Video Games Cronicle, this appears to be false? Unsure at this point.)
- 3 years worth of creator payouts, in detail
- Potential for addresses and full names (Unconfirmed – Rumor until proven true)
What else was leaked
- The Entirety of Twitch’s source code with comment history going back to the beginnings of Twitch
- Source code for Mobile, Desktop, and Console Twitch Clients
- Propriatary SDKs and Internal AWS services used by Twitch
- Every property that Twitch owns, Including Curseforge and IMDB
- An unreleased steam competitor, codename Vapor, from Amazon Games Studios
- Internal Red Teaming tools (staff pretending to be hackers)
To make matters worse, this leak was labeled “Part one”, insinuating that there is more data to be potentially leaked in the future. It is unclear if this breach was the result of the lack of a strong response against hate raids, but it is clear that the leaker is not a fan of the direction that Twitch is heading, as it was posted under the #DoBetterTwitch movement.
Who does this Impact?
Every user on Twitch is impacted by this leak, not just streamers. Make sure you change your passwords, streamer or otherwise.
Regarding payment info – it is unconfirmed as far as my initial sweep can tell on the various reports on if credit card/bank information was leaked. It is unlikely, given that payment processing is handled by a third party, but the second leak could possibly contain this information. This is not confirmed as of yet, and we have no way of knowing until the second release comes. Keep your eyes on the news about it.
What Can you do to Minimize the Impact?
The first thing you’re going to want to do is to change your password. To do this:
- Navigate to https://www.twitch.tv/settings/security
- Change your password
- Change your stream key
- Change password to attached email address
- Review apps connected to your Twitch account
- Monitor your payments on your twitch account for unauthorized payments.
After that, you’ll want to enable Two-factor authentication, and check up on good security practices for Twitch. If you do reuse the same password and email account combination elsewhere, I strongly suggest you also change those.
Update: Twitch has confirmed the breach has taken place at 11:18 AM EST.
Second Update: Twitch prompted a site-wide password change. Please log in and change your password as soon as you are able. They also refreshed the stream keys, so you’ll need to reattach any webhooks you use for bots, and reauthenticate the OAuth cert for OBS studio.