On Wednesday, an anonymous poster published 135 gigabytes of internal data stolen from Twitch, Amazon’s streaming platform. The leaker said this is “part one” of the leak, but did not say what else might be coming.
The leak, posted on 4chan, included source code, internal tools, and crucially spreadsheets that detail how much money every streamer on the platform (including Twitch’s biggest stars) make.
Videos by VICE
Motherboard has begun to analyze some of the files within the breach, and has spoken to a former member of Twitch’s security team, who believes that the stolen source code and scripts are not devastatingly sensitive. What is sensitive is the streamer revenue data, and any potential personal information about streamers that could come in future parts of the leak.
In a tweet, Twitch confirmed the breach.
“Our teams are working with urgency to understand the extent of this,” the company wrote. “We will update the community as soon as additional information is available.”
Scott Hellyer, one of the streamers whose data is in the leak, told Motherboard about the damage the leak will do to him.
“I really hope that no major personal info (Full names, emails, address, phone number, banking info) gets out in the rumored next part of the leak,” he said. “People are going to be harassed for this info as it is now fully confirms what some sites have been trying to figure out though bots scanning channels. Real dollar values will push people to think differently about who they watch if it can’t be discussed/disclosed unfortunately.”
It’s “very unlikely there’s anything worrying from the security side in there unless it was introduced after I left a year and a half ago.”
“Next step for me is to communicate with my community about online security and how to stay safe. I’ll take the heat if people are surprised about how much I make in the coming days and try to have an open dialog about it (within the limits of what I can say because of my contract),” he added.
Hasan Piker, one of the platform’s biggest streamers, instantly had his revenue data published, and began trending on Twitter. “just woke up to some fun news,” he tweeted. “can’t wait for ppl to be mad at me about my publicly available sub count again.”
Do you work at Twitch? Do you have more information about this breach? Do you stream on Twitch and you have been affected by this leak? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzo@motherboard.tv.
Besides streamer data, the leak includes data from Twitch’s security team, such as diagrams drawn on a whiteboard about the company’s “threat model,” (which notably didn’t include 4chan), and various scripts it uses for security purposes. Some of the source code and diagrams are years old, but the revenue data includes information from the last few years and is as recent as the last few months.
Thomas Shadwell, a former Twitch security engineer, told Motherboard that the data related to security that’s been leaked is not that sensitive, and mostly several years old.
“The security-related code in the ‘infosec’ folder is code I wrote many years ago to standardize security code in several key projects we were working on,” Shadwell said in an online chat. “The code itself was largely superseded by code which is maintained by Twitch’s core engineering teams, rather than myself.”
Shadwell added that it’s “very unlikely there’s anything worrying from the security side in there unless it was introduced after I left a year and a half ago” and that “the actual compromise is probably no bigger than what’s in the drop, since there was a very big effort to move all secrets out of the source code.”
In terms of the non-security related source code that was leaked, Shadwell said that is indeed Twitch source code, “but we worked hard to make sure there was nothing sensitive in the source, so the issue is probably mostly IP related.”
In other words, this Twitch hack and leak may be worse for streamers and content creators than for the company itself.
“If the earnings thing is real, I think it’s sad. People deserve that kind of privacy,” Shadwell said.
“Streamers already have an elevated threat model because they’re in the public eye and deal with harassment and cyber threats constantly (like SIM-swaps, swatting attacks, unwanted food deliveries, etc). Leaking the personal earning details for these streamers unfortunately increases their threat model even more,” Rachel Tobac, CEO of SocialProof Security, told Motherboard in an online chat. “Cyber criminals often target individuals with definitive high net worth — now that this Twitch payout data is public, scammers may attempt to perform account takeovers on Twitch streamers financial services accounts and steal that money.”
Tobac suggested streamers to lock down their financial services as soon as possible.
“PayPal and their Bank should have a strong, unique and long password (and should not be reused anywhere) and they’ll want to upgrade their MFA to the strongest form available (at least app-based MFA, preferably security key, though that’s not available for many financial institutions),” she said.
Subscribe to our new cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.