Misconfigured Server Led to Leak of Twitch Source Code and Proprietary Tools

A misconfigured Twitch server allowed unknown parties to access and steal a massive amount of data, including proprietary software, source code, details on payouts to streamers, and potentially much more.

The data contains sensitive information regarding Twitch payouts made the platform to all top streamers in the past two years. The company said no other financial information was revealed, adding that “full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed.”

It turns out that hackers didn’t actually compromise Twitch infrastructure -- they didn’t have to. Access was provided by mistake.

“We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party,” said the company. “Our teams are working with urgency to investigate the incident.”

Twitch also reset all the stream keys, which means that all streamers have to get new ones and set up the equipment accordingly.

Of course, all Twitch users wonder if their credentials were leaked as well, but the platform says there’s no indication that login credentials were exposed. All the same, changing the passwords as soon as possible is a good idea.

The 4chan anonymous user who posted details on the leaked data also gave everyone access to a 125GB archive, which the user named part 1, hinting that there’s more to come. The company quickly confirmed the breach, but said that they are still trying to determine the extent of it.

We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.
— Twitch (@Twitch) October 6, 2021

The leak information contains everything pertaining to Twitch and a good deal of data from Amazon, its parent company:

· The entirety of twitch.tv, with commit history going back to its early beginnings
· Mobile, desktop, and video game console Twitch clients
· Various proprietary SDKs and internal AWS services used by Twitch
· Every other property that Twitch owns, including IGDB and CurseForge
· An unreleased Steam competitor from Amazon Game Studios
· Twitch SOC internal red teaming tools (lol)

Since this is a developing story, more details are sure to follow.