Amazon-owned game streaming platform Twitch has been hacked, with the data breach exposing sensitive data that includes the company’s source code and intellectual property.
The live streaming esports company blamed an “error” in a server configuration change and confirmed that data was accessed by a “malicious third party”.
Stolen data includes creator payout reports, which revealed 81 Twitch creators have earned $1m or more since August 2019.
Other exposed data includes mobile, desktop and console Twitch clients; proprietary software development kits and internal AWS services used by Twitch; intellectual gaming property; and a Twitch red team tool used internally to improve cybersecurity.
The data reportedly included plans for Amazon Game Studio’s plans to launch an online gaming store to compete with Steam.
In a statement, Twitch said: “We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party. Our teams are working with urgency to investigate the incident.”
The company said it has “no indication” that login credentials were exposed in the hack and that it doesn’t store full credit card numbers.
It said it reset all stream keys out of “an abundance of caution”.
According to Video Games Chronicle, which first reported the news, the hacker posted a torrent link to 125GB of stolen data on the online forum 4chan on Wednesday.
A person claiming to be the hacker posted a note with the files suggesting they targeted Twitch because its community is a “disgusting toxic cesspool”.
Twitch has battled with harassment and hostile commentary on its platform, including “hate raids” in which abusers program bots to post slurs and insults in live stream chats.
“Given the way in which the hacker published the data online suggests the motivation for the attack is either to raise notoriety or make a statement in revenge for the company’s lack of action against hate raids,” said James Smith, head of offensive security at Bridewell Consulting.
He added that it was “extremely concerning” that the hacker was able to steal Twitch’s source code.
Source code is the original version of software that underpins an application or program.
We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.
— Twitch (@Twitch) October 6, 2021
Twitch hacked: Damaging for Amazon
Amazon acquired Twitch in 2014 for $970m in a push into gaming and to compete with streaming platforms such as Netflix and YouTube. Amazon ranks 16th out of 43 companies in GlobalData’s gaming thematic sector scorecard. It holds a score of five (the highest) in the esports theme and four in social media, thanks to its dominant position in the esports industry.
Twitch has more than 51 million users and is incredibly popular among gamers and musicians for live streaming content. Experts warned that the breach would cause notable reputational damage for Twitch and compound its existing problems.
“The data breach will impact Twitch’s popularity in the short term,” said Rupantar Guha, associate project manager for GlobalData’s thematic team and esports expert. “Twitch is losing streamers to competitors due to high commission rates, and this breach will only exacerbate the issue. Streamers are wary of data breaches, and some are likely to consider moving to YouTube or Facebook.”
Chris Harris, EMEA technical director at Thales UK, said the Twitch data breach would have a “huge impact on trust with customers”.
He added: “Implementing stronger security practices and following good cyber hygiene is the only way to provide robust protection against attacks like these on data, personal information and infrastructure.”
Some Twitch users have claimed the stolen trove of data includes encrypted passwords.
“As password hashes have leaked, all users should change their passwords, and use two-factor authentication if they are not doing so already,” said Jarno Niemelä, principal researcher at F-Secure. “But as the attacker indicated that they have not yet released all the information, anyone who has been a Twitch user should review all information they have given to Twitch and see if there are any precautions they need to make so that further private information isn’t leaked.”
The Twitch hack comes days after Facebook blamed a “faulty configuration change” for an outage that lasted nearly six hours.