Twitch Hack – What was actually leaked?

On October 6^th 2020 Twitch.tv was the victim of one of the biggest data breaches of all time thanks to a hacker gaining access to the system during a configuration change. Twitch confirmed on twitter that the twitch hack was genuine saying “Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is possible.

The 125GB leak was posted on the 4chan messaging board by an anonymous user claiming it included the entirety of Twitch and its commit history. Worryingly the leak was labeled as “part one” but there has been no further release up to this point and this could of just been posturing on the part of the anonymous user.

The leak was massive and included:

• The entirety of Twitch’s source code with comment history “going back to its early beginnings”
• Creator payout reports from 2019
• Mobile, desktop and console Twitch clients
• Proprietary SDKs and internal AWS services used by Twitch
• “Every other property that Twitch owns” including IGDB and CurseForge
• An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios
• Twitch internal ‘red teaming’ tools (designed to improve security by having staff pretend to be hackers)

The creator payouts were searchable using Twitch ID so to search for a specific user your username must be converted to Twitch ID which can be done using a tool here on StreamWeasels. The leaker has stopped short of releasing any personal account information however and it appears no login information or bank details have been compromised. There was unfounded claims of ‘encrypted passwords’ being part of the leak but this is not the case.

Close inspection of the leak does seem to show that Twitch uses Bcrypt to hash passwords which is a good sign and means that unless your password is very weak it is unlikely to be cracked. Despite this, on the off chance that Twitch’s login database was breached and is still to be released in a second release it is recommended your Twitch password is changed and two-factor authentication is enabled. We would recommend using an actual TOTP (Timebased One Time Password) authenticator app such as google authenticator rather than SMS or email based authentication. For streamers all stream keys were changed by steam immediately and this isn’t required again.

Now that the dust has settled since the release of the leak the main talking point has been the amount of money some streamers are making from the platform prompting many to anger at the success they are getting. However as Sub counts are public the amounts streamers make from subs isn’t all that surprising. One analysis of the amounts streamers make calculated that of all streamers going live over the period covered only about 0.05% even made minimum wage from streaming.