Image: FREDERIC J. BROWN/AFP via Getty Images
Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast about the dark underbelly and internet.
An anonymous poster published 135 gigabytes (or 135 gigabytes) of internal data that was stolen from Twitch. This streaming platform is owned by Amazon. This was the leaked information. “part one”he did not mention what else might be coming.
The 4chan leak contained source code, internal tools and, most importantly, spreadsheets that detail how much each streamer (including Twitch’s biggest stars), makes.
Motherboard began to examine some files in the breach and has spoken with a former member from Twitch’s security department. She believes that the stolen source code is not extremely sensitive. The streamer revenue data and any personal information about streamers that might be in future leaks are what is most sensitive.
Twitch confirmed this breach via a tweet.
“Our teams are working with urgency to understand the extent of this,”The company wrote. “We will update the community as soon as additional information is available.”
Scott Hellyer, one streamer whose data was in the leak, spoke to Motherboard about the potential damage it will cause.
“I really hope that no major personal info (Full names, emails, address, phone number, banking info) gets out in the rumored next part of the leak,”He said. “People are going to be harassed for this info as it is now fully confirms what some sites have been trying to figure out though bots scanning channels. Real dollar values will push people to think differently about who they watch if it can’t be discussed/disclosed unfortunately.”
It’s “very unlikely there’s anything worrying from the security side in there unless it was introduced after I left a year and a half ago.”
“Next step for me is to communicate with my community about online security and how to stay safe. I’ll take the heat if people are surprised about how much I make in the coming days and try to have an open dialog about it (within the limits of what I can say because of my contract),”He concluded.
Hasan Piker was one of the largest streamers on Twitter and immediately had his revenue data published. He also started trending on Twitter. “just woke up to some fun news,”He tweeted. “can’t wait for ppl to be mad at me about my publicly available sub count again.”
Are you a Twitch employee? Do you have any information about this breach or can you provide it? Are you a Twitch streamer and have you been affected by this leakage? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at [email protected], or email [email protected]
Other than streamer data, the leak also includes data from Twitch Security Team, such as diagrams drawn onto a whiteboard about the company. “threat model,”It uses several scripts for security purposes and didn’t include 4chan. Although some of the source code and diagrams may be years old, the revenue data contains information from the past few years and is as current as the last month.
Thomas Shadwell is a former Twitch security engineering engineer and said that the information related to security that was leaked was not very sensitive and that it is mostly several years old.
“The security-related code in the ‘infosec’ folder is code I wrote many years ago to standardize security code in several key projects we were working on,”Shadwell spoke via an online chat. “The code itself was largely superseded by code which is maintained by Twitch’s core engineering teams, rather than myself.”
Shadwell said that it was “very unlikely there’s anything worrying from the security side in there unless it was introduced after I left a year and a half ago”That and more “the actual compromise is probably no bigger than what’s in the drop, since there was a very big effort to move all secrets out of the source code.”
Shadwell stated that the source code that was not related to security was leaked and that it is Twitch source. “but we worked hard to make sure there was nothing sensitive in the source, so the issue is probably mostly IP related.”
In other words, the Twitch hacking and leak may be worse than the company for streamers and content creators.
“If the earnings thing is real, I think it’s sad. People deserve that kind of privacy,”Shadwell stated.
“Streamers already have an elevated threat model because they’re in the public eye and deal with harassment and cyber threats constantly (like SIM-swaps, swatting attacks, unwanted food deliveries, etc). Leaking the personal earning details for these streamers unfortunately increases their threat model even more,”Rachel Tobac is the CEO of SocialProof Security and spoke to Motherboard in an internet chat. “Cyber criminals often target individuals with definitive high net worth — now that this Twitch payout data is public, scammers may attempt to perform account takeovers on Twitch streamers financial services accounts and steal that money.”
Tobac suggested streamers to lock down their financial services as soon as possible.
“PayPal and their Bank should have strong, unique, and long passwords (and should never be reused anywhere). They’ll also want to upgrade their MFA (at least app-based, security key, though this is not available for all financial institutions), she said.
Subscribe to our cybersecurity podcast, Cyber. Subscribe to our new Twitch channel.