Twitch confirms data exposed in major leak, but "no indication" passwords leaked
UPDATE: "Twitch passwords have not been exposed."
UPDATE 15/10/21: Twitch has released a further statement with regards to the recent data leak, confirming that passwords have not been exposed.
"As we said previously, the incident was a result of a server configuration change that allowed improper access by an unauthorized third party. Our team took action to fix the configuration issue and secure our systems," it reads.
"Twitch passwords have not been exposed. We are also confident that systems that store Twitch login credentials, which are hashed with bcrypt, were not accessed, nor were full credit card numbers or ACH / bank information.
"The exposed data primarily contained documents from Twitch's source code repository, as well as a subset of creator payout data. We've undergone a thorough review of the information included in the files exposed and are confident that it only affected a small fraction of users and the customer impact is minimal. We are contacting those who have been impacted directly.
"We take our responsibility to protect your data very seriously. We have taken steps to further secure our service, and we apologize to our community."
ORIGINAL STORY 07/10/21: After a major leak of its source code, Twitch has commented in more detail via a new blog post confirming "some data" had been exposed, although there was "no indication" that login details had leaked.
The post follows an initial comment on Twitter from the Amazon-owned streaming platform, as previously reported.
The Twitch source code was leaked by an anonymous hacker on 4chan, with the intention to "foster more disruption and competition in the online video streaming space". The data includes streamer revenue reports and an unreleased Steam competitor from Amazon Game Studios.
"We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party. Our teams are working with urgency to investigate the incident," reads the Twitch blog post.
"As the investigation is ongoing, we are still in the process of understanding the impact in detail. We understand that this situation raises concerns, and we want to address some of those here while our investigation continues.
"At this time, we have no indication that login credentials have been exposed. We are continuing to investigate.
"Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed."
The company has further emailed streamers directly to notify them that stream keys have been reset and that, depending on the software used, streamers may need to update the software with the new key.
Streamers have also been advising each other to change Twitch passwords and activate two-factor authentication.
Cybersecurity experts have warned of the potentially dire consequences of the leak.
As shared by PC Gamer, founder and CEO of ThreatModeler Archie Agarwal told the Threatpost blog "This is as bad as it could possibly be.
"The first question on everyone's mind has to be: How on earth did someone exfiltrate 125GB of the most sensitive data imaginable without tripping a single alarm?" he said. "There's going to be some very hard questions asked internally."
BBC cyber reporter Joe Tidy said: "And if it is all confirmed, it will be the biggest leak I have ever seen - an entire company's most valuable data cleaned out in one fell swoop."
He added that the attack's fallout could be significant when YouTube Gaming has already poached some of Twitch's biggest streamers with the lure of big contracts.
The release of top streamer revenue also calls into question the lack of diversity among the top earners. There is a wealth of diversity among Twitch streamers, but when white men dominate earnings figures it suggests a lack of discoverability and visibility of diverse communities - something marginalised streamers have rallied against with #TwitchDoBetter.
And with issues like the hot tub meta from earlier this year that had male streamers complaining about their viewers being stolen, the release of these figures proves that simply isn't true.
At the top of the leaked earnings list is Critical Role, a TTRPG company who do champion diversity. If anything this just proves the power of having an inclusive environment on Twitch.
All of this comes as little surprise to marginalised streamers. "All that energy we spend pissing and crying about how women were 'making a dangerous precedent' amidst incels shouting 'titty streamers' and they're not even in the same grouping for payouts," Twitch streamer PleasantlyTwstd said on Twitter. "Find the Black person on [the top earnings list] while you're at it."
Other streamers have pointed out the 50-50 revenue split Twitch takes on streamer earnings, which further highlights the amount of money Twitch itself makes from its streamers.