Twitch, the live-video site popular with gamers, said Wednesday that it had endured a data breach that security researchers believe may have provided sweeping insight into the platform’s computer code, security vulnerabilities and payments to its content creators.
The confirmation by Twitch, which is owned by Amazon, that it had been breached came hours after a user posted what they claimed was an enormous trove of Twitch data onto the anonymous message board website 4chan. The user said the 128 gigabyte file was only the first part of the leak.
The user said the file contained, among other items, the history of Twitch’s source code; proprietary software development kits; an unreleased competitor to Steam, an online games store; programs Twitch was using to test its own security vulnerabilities; and a list of the amount of money that each of the site’s streamers have earned since 2019.
“Find out how much your favorite streamer is really making!” the user posted. “Jeff Bezos paid $970 million for this, we’re giving it away FOR FREE.”
Twitch did not respond to a request for comment about details of the breach. “Our teams are working with urgency to understand the extent of this,” the company wrote on Twitter. “We will update the community as soon as additional information is available.”
Ekram Ahmed, a spokesperson for Check Point, a cybersecurity company, said that it was the company’s “strong suspicion” that Twitch’s code had truly been leaked, which was “potentially disastrous.”
“It opens a gigantic door for evildoers to find cracks in the system, lace malware and potentially steal sensitive information,” he said.
The incident sent Twitch’s community of streamers into a panic.
Kaitlyn Siragusa, known to her 4.4 million followers as Amouranth, said in a text message that it was “quite shocking so much information could be breached.” Saqib Zahid, who streams to his 2.8 million followers as Lirik, said in a Twitter direct message that the incident was “frustrating,” but he was “not surprised.” Natalia Mogollon, known as Alinity online, said via a Twitter direct message that her reaction was “disappointment.”
And Félix Lengyel, one of the top earners and most notable personalities on the platform, simply tweeted in all-caps: “HEY @TWITCH EXPLAIN?”
According to the list of earnings, which could not be independently verified, some notable personalities had made millions of dollars since 2019. Some streamers confirmed their numbers were accurate — though others disputed the figures.
“All data in there on me is 100% true in terms of payout value info,” tweeted Scott Hellyer, a streamer who goes by tehMorag. “This is real and will impact people for years.”
Another streamer, Hasan Piker, anticipated people getting angry about the amount of money the list said he had made.
The 4chan user included the hashtag #DoBetterTwitch, a variation of the hashtag #TwitchDoBetter that has been used in recent months by members of the Twitch community after the proliferation of so-called hate raids, in which users bombard streamers, particularly women and people of color, with abusive and offensive messages.
Independent cybersecurity researchers said they were analyzing the data and combing the so-called dark web in order to figure out what had happened.
“Twitch leak is real. Includes significant amount of personal data,” tweeted Kevin Beaumont, a cybersecurity researcher. “If the people involved truly want to fight toxicity in gaming, they might want to look into a mirror as that kind of leak is toxic behavior.”
How to protect yourself after a data breach
Before you read any further, change the password on your compromised account — in this case, Twitch. And if any of your other accounts use the same password, change those too.
Internet users should assume that their information could some day be compromised, said Barbara Endicott-Popovsky, the director of the University of Washington’s cybersecurity program. “It’s inevitable that you’ll be breached, if you have anything anyone could possibly want,” she said. “If it’s valuable enough, attackers will move heaven and earth to get it.”
But we can take precautions to minimize that risk. After changing your password, the federal government’s Cybersecurity and Infrastructure Security Agency recommends enabling multifactor authentication everywhere you can, running regular anti-virus scans, patching your operating system software and blocking inbound connections to your router. If you’re a Twitch streamer, consider resetting your stream key. And in the days to come, monitor any payment methods you use on Twitch for illegitimate transactions.
Amelia Phillips, who heads Highline College’s cybersecurity program, also advises internet users to use different email addresses on different accounts — for instance, a different email address for banking as opposed to gaming.
The Twitch breach, she said, is “scary” in its scope. Local businesses should take the hack as a sign to investigate their own security systems, and ensure their networks are set up so that only authorized individuals have access to sensitive information. Even then, she said, “all it takes is one person clicking on something they should not have and downloading malware.”
Seattle Times business reporter Katherine Anne Long contributed reporting on protecting your data.