Amazon-Owned Twitch Is the Victim of 125GB Data Breach

Including creator payout data since August 2019

Last Wednesday, live streaming subscription service Twitch was hacked, leaking a 125 GB torrent including creator payout information, source code, data on Twitch-owned IGDB and CurseForge, internal security tools and company documents, and more, reports Video Games Chronicle. Twitch, who was acquired by Amazon in 2014, confirmed the breach on Twitter.

Image from Twitter

According to Tubefilter, the hacker responsible posted on 4chan that the purpose for the hack was to “foster more disruption and competition in the online video streaming space” because, in the hacker’s opinion, the Twitch community “is a disgusting toxic cesspool.” This may not be the end of the breach. The Verge reports that the breach was labelled “part one” which indicates there could be another breach coming.

Creator payout information

Of particular concern to the creators is the payout information that was leaked, which includes subscription and ad revenue earned from Twitch. The leaked data revealed that 81 creators have earned more than $1 million by Twitch since August 2019, says Video Games Chronicle. The top earner was CriticalRole at $9.6 million, followed by xQcOW at $8.4 million, summit1g at $5.8 million, Tfue at $5.2 million and NICKMERCS at $5 million.

Twitch provides updates

In an October 6, 2021 blog post, Twitch provided updates on the “Twitch Security Incident.”

“We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party. Our teams are working with urgency to investigate the incident,” Twitch wrote.

You May Be Interested In:


NEXT WEEK IS
Subscription Show 2021


Join Us In-Person or Virtual

Get The Latest Intel To Grow Your Business

Recurring Payments & Processing
Subscriber Retention
Subscription Acquisition & Marketing
Legal and Compliance
Managing Fraud
Pricing & Packaging
Subscription Centric M&A
More

Register Now

“As the investigation is ongoing, we are still in the process of understanding the impact in detail. We understand that this situation raises concerns, and we want to address some of those here while our investigation continues,” the live streaming company said.

Twitch also said they did not believe that login credentials were compromised, but they would continue their investigation. Video Game Chronicles advises Twitch users to change their passwords to be safe and encourages them to turn on two-factor authentication, a good cybersecurity practice regardless of the application. In terms of payment information, Twitch does not store full credit card numbers, so that information was not exposed, the company confirmed.

In an October 7 (1 a.m.) update to that post, Twitch said they had reset all stream keys and some users would need to manually update their software, depending on what broadcast software they use. For example, Twitch customers who use Twitch Studio, Streamlabs, Xbox, PlayStation or the Twitch mobile app, shouldn’t need to update their software for their new stream keys to work. In addition, OBS users who have connected their Twitch account shouldn’t have any problems. Those who have not connected Twitch to OBS will need to make an update.

#DoBetterTwitch movement

The data breach, which was focused more on Twitch’s own tools than on personal data, comes about eight weeks after the #DoBetterTwitch movement pushed Twitch to address harassment, hate raids and related concerns. Twitch tweeted this response on August 11.

Insider Take

October is cybersecurity awareness month, and the month is off to a less than auspicious start. Gizmodo included Twitch in its list of the biggest hacks of 2021 (so far). They even called it a “gargantuan theft” that Twitch created with a “security hiccup” in their system. Ouch. This is disappointing for Twitch as a company but, even more so, for creators who rely on Twitch for income and for subscribers who use Twitch daily. This hack illustrates that no one is immune to cybersecurity attacks and even large, tech-based companies are vulnerable.