A Devastating Twitch Hack Sends Streamers Reeling

The data breach apparently includes source code, gamer payouts, and more.
Twitch sign
Today’s leak will have untold and unpredictable consequences for streamers.Photograph: Chesnot/Getty Images

This morning, an anonymous hacker released what they claim is an enormous cache of proprietary data from Twitch, the popular streaming platform, including Twitch.tv source code and streamers’ revenue information.

“Jeff Bezos paid $970 million for this, we’re giving it away FOR FREE,” wrote the poster on 4chan. Today’s leak, which its original poster described as “extremely poggers,” is by far the biggest to ever hit Twitch, which was acquired by Amazon in 2014.

The leak, first reported by Video Games Chronicle, reportedly contains 125 GB of data. That data includes the source code for Twitch.tv; Twitch’s mobile, desktop, and game console clients; proprietary SDKs; Twitch-owned properties including Vapor, Amazon’s alleged Steam competitor from Amazon Game Studios; and internal security tools. The leak does not appear to contain streamers’ or users’ personal information, but the damage appears extensive. The post is titled “twitch leaks part one,” implying that there may be more to come.

“Anytime source code gets leaked it’s not good and potentially disastrous,” says Ekram Ahmed, spokesperson at security firm Check Point. “It opens a gigantic door for evildoers to find cracks in the system, lace malware, and potentially steal sensitive information.”

The 4chan poster also referenced Twitch’s recent wave of hate raids, in which botmakers have been spamming marginalized streamers’ chats with bigoted harassment. Mentioning the #DoBetterTwitch hashtag (more commonly #TwitchDoBetter), the poster claimed that Twitch is a “disgusting cesspool.” They wrote that the leak, which appears to contain huge amounts of proprietary data, is to “foster more disruption and competition in the online video game streaming space.” Twitch has introduced several new tools to combat these hate raids, and sued two alleged hate raiders last month.

Twitch declined to comment to WIRED but confirmed Wednesday morning that a breach had taken place. “Our teams are working with urgency to understand the extent of this,” the official Twitch account tweeted. “We will update the community as soon as additional information is available.”

“I wish I could say I'm surprised,” says Avery, a streamer who goes by Littlesiha and does not publicly share her last name for privacy reasons. “It took Twitch two months to find a way to protect marginalized creators that were getting harassed, threatened, and doxed through chatbot raids. Security on the site feels like a joke at this point.”

While much of the data appears to be legitimate, there is some debate over the accuracy of streamers’ revenue numbers. Some streamers have tweeted that their payout numbers are accurate, while others have claimed otherwise. “It was wrong, for my number,” said popular Twitch personality Asmongold while streaming Amazon’s new video game New World this morning. “It's harder to fuck up more than this,” he told WIRED.

Also streaming on Twitch, Nick “NMP” Polom said, “I kind of feel violated right now.” His viewers, numbering in the tens of thousands, took the leak as an opportunity to meme, donating money attached to messages like “Seems like you need this more than me. I work at McDonald’s.” (On Twitter, he wrote that he is “live right now being relentlessly SHIT ON by my community for being ‘poor.’ THANKS @twitch.”) Although many streamers have expressed deep worry over the leak, some are turning it into a joke: Top streamer Chance “Sodapoppin” Morris, who was 42nd in the streamer revenue number list, begged his viewers not to view it as real: “I swear I’m one of the richest ones on the platform,” he joked. “I make WAY more than that.” (For many top streamers, Twitch payouts are just one revenue stream among many.) Streaming on Twitch, Felix “xQc” Lengyel shouted, “I told y’all—it’s trillionaire with a fucking ‘T’!”

Today’s leak will have untold and unpredictable consequences for streamers, many of whom make a precarious living off donations and temporary sponsorships. Rachel Tobac, CEO of SocialProof Security, tells WIRED that the leak’s earnings information can open up streamers to a potential financial risk. “Even if the streamer payout data is incorrect or has been falsified, cyber criminals could still be more interested in targeting those streamers’ accounts because they know they are extra-confirmed, high-value targets,” she says. “Twitch streamers have always had an elevated threat model because they're in the public eye, but leaked financial data increases their threat model even more.”

Tobac recommends that streamers secure their financial accounts today. And out of an abundance of caution, she adds, both streamers and users should also change their passwords to long, random, and unique strings of characters—you can see our picks for password managers here—and turn on two-factor authentication.


More Great WIRED Stories