Twitch Logo
Diegosegura.me, CC BY-SA 4.0, via Wikimedia Commons

Massive Twitch data breach and leak confirmed

Amazon-owned game-streaming platform Twitch has confirmed it has experienced a significant data breach after a hacker was able to access its servers. Over 125GB of data was posted on the 4chan message board on Wednesday, and there are fears more data will be leaked in the coming days.

Confirming the breach, Twitch posted on Twitter: “We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.”

How did the leak occur?

A statement on the Twitch blog said: “We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party. Our teams are working with urgency to investigate the incident.”

What data has been leaked?

Twitch assured users in its statement that it doesn’t store complete credit card details, so hackers have been unable to acquire such data. It is unknown at present whether user data, including passwords and email addresses, have been stolen. However, the 125GB data leak was labelled “Part One,” raising concerns over what may be included in subsequent releases.

Data included in this leak included:

  • Three years’ worth of details relating to Twitch creator payouts. Several Twitch creators confirmed to the BBC that the earnings figures leaked were accurate.
  • The entirety of twitch.tv.
  • Source code for Twitch’s mobile, desktop, and videogame console apps.
  • Code related to software development kits and internal Amazon Web Services features utilised by Twitch.
  • An unreleased Steam competitor being developed by Amazon Game Studios.
  • Data relating to other Twitch properties, including IGDB and CurseForge.
  • Internal security tools used by Twitch.

Given what has been stolen, this is potentially the most significant data breach in history, with most, if not all, of Twitch’s internal data and code stolen at once.

Embarrassment for Twitch, but could the long-term damage be worse?

Twitch is famous for guarding creator details and earnings. Many creators choose to stream via Twitch because they can (or could!) rely on the platform to protect their data and earnings information.

Not only will this data breach and leak prove hugely embarrassing for Twitch, but it could be a damaging incident in a business sense, too. Platforms like YouTube Gaming are currently offering significant salaries to gamers to exclusively stream on their platforms. As such, this incident may herald the start of an exodus away from Twitch, which is already dealing with a considerable increase in abuse and harassment of creators in recent months, alongside accusations it isn’t doing enough to prevent such incidents.

What does this mean for Twitch users?

While those involved in this incident seem to be focused on damaging Twitch rather than stealing user data, it remains to be seen what information will be found in any further leaks.

Although there is currently no indication that users are at risk, it is still worth taking steps to secure how you access the platform if you have a Twitch account.

If you haven’t already done so, you should consider:

  • Changing your Twitch password.
  • Subscribing to a password generator or keeper, ensuring you have strong passwords that are difficult to guess and to access.
  • Enabling two-factor authentication (2FA) on your account. Given the recent Coinbase hacking incident, which exploited weaknesses in the crypto exchange’s 2FA process, aim to use an authentication app rather than SMS or email authentication.

If your personal details do end up being exposed, you could be entitled to compensation

While Twitch publicly disclosed the data breach on 6th October, the Information Commissioner’s Office (ICO) hadn’t been notified of a breach by Twitch or Amazon as of the following day.

It remains to be seen whether user data has been stolen and will be leaked following this incident. If this does occur and your data is exposed, you could be entitled to compensation.

LawPlus will await the outcome of any ICO investigation before pursuing claims on behalf of compromised users; however, you can still contact us in the meantime so we can collect your details and information about how this Twitch incident has affected you.

Contact us here to share your experience of this significant Twitch data breach.