Twitch, Amazon's livestreaming service for video games, has revealed that it has suffered a data security breach. The attack is said to have resulted in the loss of information on live streamer’s pay-out amounts, Twitch source code, and details about a putative Steam competitor from Amazon Game Studios. In a tweet Wednesday morning, Twitch said, “We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available.”
Twitch was founded in 2011 by the co-founders of Justin.tv, one of the earliest livestreaming websites. Twitch was purchased by Amazon in 2014 for $970 million.
On the 4chan message board, an anonymous poster has released a 125GB torrent claiming to contain the entirety of Twitch and its commit history. The breach is said to be intended to "promote further disruption and competition in the online video streaming industry," according to the poster.
The leak includes 3 years’ worth of details regarding creator pay-outs on Twitch, the entirety of twitch.tv, “with commit history going back to its early beginnings,” source code for the mobile, desktop, and video game console Twitch clients, code related to proprietary SDKs and internal AWS services used by Twitch, an unreleased Steam competitor from Amazon Game Studios, data on other Twitch properties like IGDB and CurseForge, Twitch’s internal security tools.
The leak has been labeled as “part one,” implying that there may be more to come. While personal information such as creator payments is included, it does not appear that passwords, addresses, or email accounts of Twitch users are included in this initial breach. Instead of publishing code that would contain personal accounts, the leaker appears to have focused on sharing Twitch's own company tools and information.
Malware authors might potentially utilize the leaked Twitch code to infect the platform's userbase by exploiting software vulnerabilities. According to Quentin Rhoads-Herrera, director of professional services at cybersecurity company Critical Start, any return the attackers would obtain would be modest and not worth their effort.
“This is more of a way to publicly humiliate Twitch and potentially lower the trust the Twitch users may have in the platform and company,” Rhoads-Herrera said.
