Last Wednesday, live streaming subscription service Twitch was hacked, leaking a 125 GB torrent including creator payout information, source code, data on Twitch-owned IGDB and CurseForge, internal security tools and company documents, and more, reports Video Games Chronicle. Twitch, who was acquired by Amazon in 2014, confirmed the breach on Twitter.
According to Tubefilter, the hacker responsible posted on 4chan that the purpose for the hack was to “foster more disruption and competition in the online video streaming space” because, in the hacker’s opinion, the Twitch community “is a disgusting toxic cesspool.” This may not be the end of the breach. The Verge reports that the breach was labelled “part one” which indicates there could be another breach coming.
Creator payout information
Of particular concern to the creators is the payout information that was leaked, which includes subscription and ad revenue earned from Twitch. The leaked data revealed that 81 creators have earned more than $1 million by Twitch since August 2019, says Video Games Chronicle. The top earner was CriticalRole at $9.6 million, followed by xQcOW at $8.4 million, summit1g at $5.8 million, Tfue at $5.2 million and NICKMERCS at $5 million.
Twitch provides updates
In an October 6, 2021 blog post, Twitch provided updates on the “Twitch Security Incident.”
“We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party. Our teams are working with urgency to investigate the incident,” Twitch wrote.
“As the investigation is ongoing, we are still in the process of understanding the impact in detail. We understand that this situation raises concerns, and we want to address some of those here while our investigation continues,” the live streaming company said.
Twitch also said they did not believe that login credentials were compromised, but they would continue their investigation. Video Game Chronicles advises Twitch users to change their passwords to be safe and encourages them to turn on two-factor authentication, a good cybersecurity practice regardless of the application. In terms of payment information, Twitch does not store full credit card numbers, so that information was not exposed, the company confirmed.
In an October 7 (1 a.m.) update to that post, Twitch said they had reset all stream keys and some users would need to manually update their software, depending on what broadcast software they use. For example, Twitch customers who use Twitch Studio, Streamlabs, Xbox, PlayStation or the Twitch mobile app, shouldn’t need to update their software for their new stream keys to work. In addition, OBS users who have connected their Twitch account shouldn’t have any problems. Those who have not connected Twitch to OBS will need to make an update.
The data breach, which was focused more on Twitch’s own tools than on personal data, comes about eight weeks after the #DoBetterTwitch movement pushed Twitch to address harassment, hate raids and related concerns. Twitch tweeted this response on August 11.
October is cybersecurity awareness month, and the month is off to a less than auspicious start. Gizmodo included Twitch in its list of the biggest hacks of 2021 (so far). They even called it a “gargantuan theft” that Twitch created with a “security hiccup” in their system. Ouch. This is disappointing for Twitch as a company but, even more so, for creators who rely on Twitch for income and for subscribers who use Twitch daily. This hack illustrates that no one is immune to cybersecurity attacks and even large, tech-based companies are vulnerable.