Twitch Downplays This Month’s Hack, Says It Had Minimal Impact
In an update regarding this month’s security incident, Twitch downplayed the breach saying that it had minimal impact and only affected a small number of users.
“We’ve undergone a thorough review of the information included in the files exposed and are confident that it only affected a small fraction of users and the customer impact is minimal. We are contacting those who have been impacted directly,” Twitch said.
The company also stated that no login credentials or full credit card numbers/payment data belonging to users or streamers were exposed following last week’s massive data leak.
“Twitch passwords have not been exposed. We are also confident that systems that store Twitch login credentials, which are hashed with bcrypt, were not accessed, nor were full credit card numbers or ACH / bank information,” Twitch added.
Data exposed in the incident and leaked on the 4chan imageboard primarily contained documents from Twitch’s source code repository and a subset of creator payout data.
As explained in previous updates issued after the attack, the attackers could gain access to data due to a faulty server configuration change that exposed it to the Internet.
125 GB of source code and payment reports stolen
Although Twitch hasn’t revealed what servers were misconfigured, the unknown individual behind the leak said the data was allegedly stolen from roughly 6,000 internal Twitch Git repositories.
“Their community is also a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them, and in part one, are releasing the source code from almost 6,000 internal Git repositories,” the anonymous poster said.
According to the 4chan user, the archive leaked on the imageboard contained the following Twitch info:
- The entirety of twitch.tv, with commit history going back to its early beginnings
- Mobile, desktop, and video game console Twitch clients
- Various proprietary SDKs and internal AWS services used by Twitch
- Every other property that Twitch owns, including IGDB and CurseForge
- An unreleased Steam competitor from Amazon Game Studios
- Twitch SOC internal red teaming tools (lol)
- Creator payout reports from 2019 until now.
The 4chan thread was named “twitch leaks part one,” which hints at additional stolen data likely to be leaked in the future.