Amazon-backed livestreaming platform Twitch appears to have fallen victim to a significant cyber attack by a disgruntled user, who has leaked a 125GB torrent of the firm’s data via the 4chan “service”, with the sole intent of causing disruption, describing Twitch’s community as a “disgusting toxic cesspool”.
Gaming news website Video Games Chronicle (VGC), which was among the first to report the leak earlier, said the data dump was legitimate.
It supposedly includes Twitch’s source code and source code history, creator payment reports dating back to 2019, mobile, desktop and console clients, proprietary software development kits (SDKs) and internal Amazon Web Services (AWS) products in use at Twitch, other properties owned by Twitch, an unreleased Amazon Game Studios product codenamed Vapor, and Twitch’s red team hacking tools. According to the person or persons behind the attack, it may be the first in a series of planned leaks.
A Twitch spokesperson said: “We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.”
According to some Twitter users who claim to have accessed the leaked dataset, it also includes encrypted passwords, so users of the service are best advised to immediately change their credentials and enable multi-factor authentication (MFA) if feasible.
Commenting on the apparent attack, ESET’s Jake Moore said: “This leak appears to be full of highly sensitive data and those affected must act fast to protect their information and identity. Although the stolen passwords are encrypted, if those passwords are not unique, the potential of them being reverse engineered is increased and they must therefore be changed on other accounts, too.
“The leaked source code will also be damaging to Twitch itself, which has remained a highly sought-after target, carrying huge kudos among the criminal hacking community,” he said. “With regular action taken against Twitch, even boycotting of the site and more data to be released, this could be extremely damaging to their reputation as well as financially.”
Twitch has recently become the focus of direct action by users in protest at harassment of girls and women, people of colour, and LGBTQIA+ users on its platform, much of it supposedly generated by bots conducting so-called hate raids in which users’ livestreaming channels are bombarded with abuse.
In September 2021, high-profile users led a day-long boycott of the service against perceived inaction on Twitch’s part, and there has already been unconfirmed speculation that the leak may relate to these hate raids.
Separately, UK telecoms regulator Ofcom today announced new protections for users of video sharing platforms (VSPs), including Twitch, and others such as TikTok and Vimeo, requiring the platforms themselves take measures to protect under-18s from harmful video content, and all users from videos deemed likely to incite violence or hatred, or that contain certain types of criminal content.
The regulator said its own research had revealed a third of VSP users had witnessed or experienced hateful content, a quarter had seen violent or disturbing videos, and a fifth had seen videos that incited racial hatred.
The rules require VSP services operating in the UK to provide clear rules around uploading content, noting that uploading materials related to child sexual abuse, racism or terrorism may be a criminal offence; to implement easier reporting and complaint processes; and to restrict access to pornographic material by under-18s, if hosted.
“Online videos play a huge role in our lives now, particularly for children. But many people see hateful, violent or inappropriate material while using them,” said Ofcom chief executive Melanie Dawes.
“The platforms where these videos are shared now have a legal duty to take steps to protect their users. So we’re stepping up our oversight of these tech companies, while also gearing up for the task of tackling a much wider range of online harms in the future.”
This article was updated at 16:35 BST on 6 October 2021 to incorporate a statement from Twitch.