UPDATE 4.30pm UK: Twitch has finally acknowledged this morning's reports of a security breach and has said it is now investigating further.
"We can confirm a breach has taken place," Twitch said in a message posted to Twitter. "Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us."
We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.— Twitch (@Twitch) October 6, 2021
ORIGINAL STORY 10.45am UK: Twitch source code appears to have been leaked by an anonymous hacker, including streamer payout reports.
A 126GB torrent has been uploaded to 4chan, describing the Twitch community as a "disgusting toxic cesspool". The intention for the leak is to "foster more disruption and competition in the online video streaming space".
According to the 4chan post, the leak reportedly includes the following:
- Entirety of twitch.tv, with commit history going back to its early beginnings
- Mobile, desktop and video game console Twitch clients
- Various proprietary SDKs and internal AWS services used by Twitch
- Every other property that Twitch owns including IGDB and CurseForge
- An unreleased Steam competitor from Amazon Game Studios
- Twitch SOC internal red teaming tools
- Creator payout reports dating back to 2019
The 4chan post also included the #DoBetterTwitch hashtag. A similar hashtag was originally set up by marginalised streamers to push Twitch to improve safety measures on the platform and prevent hate raids.
Streamers also organised #ADayOffTwitch to protest against the streaming platform, but this leak is not linked to this community.
Users have now begun sorting through data on the torrent, including publishing streamer revenue numbers.
https://t.co/7vTDeRA9vt got leaked. Like, the entire website; Source code with comments for the website and various console/phone versions, refrences to an unreleased steam competitor, payouts, encrypted passwords that kinda thing.— Sinoc (@Sinoc229) October 6, 2021
Might wana change your passwords.
The 4chan user also states this is part one of the leak, with presumably more data to share at a later date.
Twitch users are advised to change their passwords, set up two-factor authentication, and reset their stream key to protect their data.
Eurogamer has contacted Twitch for comment.