Twitch data breach: Everything you need to know

By Bharat Bhushan/Oct. 9, 2021 5:09 am EST

Twitch, the popular Amazon-owned video streaming service is hit by a major hack attack leaving the platform exposed open on both ends. This is one of the most embarrassing hacks in recent times and places a big question mark on Twitch's security measures in place. This attack was executed by an anonymous hacker who has done more damage to the video game streaming platform than ever imagined.

Twitch officials have confirmed this humiliating breach and have promised prompt updates on the same as they dig deep into the modus operandi of the hack. That said, much has been out in the open, and a lot of damage is now a certainty for the platform according to cyber security company Acronis.

The build-up

According to multiple internal sources, the company valued speed and profit over the security of its users and the company data. In the past as well, the streaming service has been hit by hate raids in which streamers had to deal with uncontrolled bots spamming their channels with hate speech. As a result, streamers joined force to create #twitchdobetter hashtag, and also went on a walkout on September 1 to generate attention.

Twitch acknowledged the complaints at that time and promised to develop tools and put safety measures in place to safeguard the game streamers and their valuable community of followers. All that was later pushed to the verge of ignorance by the management and things went on unattended.

Some Twitch employees had raised an alarm even before the incident, but the management allegedly responded to regular moderation failures at a snail's speed. Some sources told TheVerge that 'Twitch knowingly ignored the security issues and didn't disclose them.' One such security risk was identified in 2017 but unfortunately was never attended to, exposing the game streaming platform to future attacks and bigger risks such as the one recently.

Back in 2015 a security issue on Twitch had exposed certain accounts to unauthorized access but was shunned in the coming weeks. According to previous employees at Twitch, a hack of a large magnitude was inevitable due to the messy environment within the company.

As it happened

The whole leak has been publically posted as a 125GB torrent file by an anonymous poster on the 4Chan messaging board, which is popular among gamers and conspiracy theorists. According to the message, the file contains everything that's to know about Twitch, including its commit history. As per the poster, the hack is aimed to "foster more disruption and competition in the online video streaming space." The personal message even called Twitch's community "a disgusting toxic cesspool."

The leak includes the company's three years' worth of details comprising source codes for the various gaming platforms (PC, mobile and console) used on the service and codes of the proprietary SDKs and the AWS services in use by the platform. It is interesting to note that the leak is labeled as part one – indicating more is to come from the hacker, which should be alarming for the platform.

While all this happened, Twitch justified the hack as an error in the AWS server configuration which allowed the hacker to access the data using a malicious third-party app. The AWS spokesperson said that the service was in no way at fault for this embarrassment and that AWS operated as intended.

Startling revelations

This hack has exposed information that is now being deciphered by the tech community who are always looking for such opportunities. The leaked data has put the detailed earnings of the top game streamers for all to analyze. The document lists the gaming sub-industry's gross earnings for top streamers from 2019 to October 2021. The gross earning for top account "CriticalRole" reached $9.6 million in total.

The top five earners have grossed around $35 million between them. According to the data, 13 accounts alone have made more than $108,000 in a year and more than 80 accounts have amassed $1million. The highest individual earner on the platform is Canada-based Félix Lengyel, going by the alias username "xQcOW". The streamer earned $8.4 million in the past year, and after this leak, Félix's followers will be startled by the amount of money their hero is making.

Moving on to other reveals, the Twitch hack has put parent company Amazon's own secrecy in jeopardy. There are details about a Steam rival under the wraps. The online game store is apparently codenamed "Vapor" and an obvious Twitch amalgamation in the future cannot be ruled out. This will integrate the viewing for streamers and the built-in games platform where these titles can be bought under one roof.

A code going by the name "Vapeworld" was also discovered in the extensive torrent file by Twitter user Sinoc. This is presumably a VR chat app having assets such as 3D emotes which will be integrated via Vapor into Twitch.

Final Thoughts

This surely isn't the entirety of the data that the hacker has to offer, and more could be served on the platter in the coming days. While Twitch is still trying to estimate the damage done, Amazon could also have more to lose than just its upcoming projects being left for everyone to see. Vital data such as APIs and server configurations are at risk of exposure.

Thankfully, the leak does not include the user passwords or other sensitive information like addresses. Pretty understandably, Ekram Ahmed of cyber security firm Check Point Software Technologies of Santa Clara, California urges users to immediately change their passwords and set up two-factor authentication to stay clear of any related hacks.

According to him, the leaking of source codes can have more serious results – especially when everything is out there in the open. It gives evildoers the perfect opportunity to release malware and steal sensitive information.