In an effort to “foster more disruption and competition in the online video streaming space,” an anonymous hacker has leaked the entirety of Twitch’s source code and creator earnings. The leak also contains info on an unreleased Steam competitor and data related to Twitch’s security tools. And unfortunately, this is just “part one” of an ongoing gigaleak.
Wrapped in a 125GB torrent, this leaked data was first shared on a 4chan thread the morning of October 6th. Trusted sources have verified its authenticity to Video Games Chronicle and The Verge, and Twitch confirms that it suffered a data breach (it hasn’t verified the leak’s authenticity). Some files in this leak were last modified on October 4th, a sign that Twitch may have been hacked just a few days ago.
All of Twitch’s source code is included in this leak, and that includes source code for the platform’s mobile, desktop, and console clients. Shockingly, this source code is so complete that it contains full “commit history” from the company’s developers—that is, notes made to indicate changes made to the Twitch backend.
We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.
— Twitch (@Twitch) October 6, 2021
Internal Twitch moderation tools also appear in the leak. The most notable (so far) is Twitch’s “red teaming system,” which allows moderators to pretend that they’re hackers. Oh, and evidence that the “golden kappa” that users randomly receive is manually handed out by moderators. We still don’t know if any damaging security tools are tucked in this leak.
And if you’ve ever wondered how much your favorite streamer makes, you’ll probably find out on social media. This leak contains three years of payout data for Twitch creators. Some streamers have already verified that this leaked financial data matches their earnings, although we’re still not sure if this data is all-inclusive or only focuses on a fraction of Twitch streamers.
There are a few oddities here, too. Because this leak contains all properties owned by Twitch, such as CurseForge, it reveals some unreleased projects. The most notable is called Vapor, a games marketplace with a working title that clearly references Steam.
Some Vapeworld assets, including some 3d emotes with specular and albedo maps
I don't have whatever version of unity installed that they used, so I'm limited in what assets i can get caps of with stuff like blener and renderdoc.
There's custom unity plugins in here for devs too. pic.twitter.com/6y4woQDcst
— Sinoc (@Sinoc229) October 6, 2021
Early analysis of the Vapor data shows that Twitch is working on something called Vapeworld—fortunately (or unfortunately, depending on your priorities), this game has nothing to do with smoking cessation. It’s a VR chat client full of weird 3D Bob Ross emojis. We’re not sure if Vapeworld is an abandoned project or a work in progress, but its files were last modified this week.
The hacker who shared this data clearly did it for altruistic reasons, citing Twitch as a “disgusting cesspool” that hampers competition in the “video streaming space.” As such, the leak doesn’t include a ton of personal data (aside from streamers’ earnings). It seems that the hacker intentionally omitted this data to protect users.
But any data breach is dangerous, and some analysts say that encrypted user passwords are a part of this leak (though these claims are unverified). Not to mention, hackers could use the Twitch source code to find vulnerabilities in its security system, and we’re still waiting for “part two” of this leak, which could target Twitch users instead of targeting the company.
I strongly suggest changing your Twitch password and enabling two-factor authentication on your account. And if you want to be extra safe, I suggest doing the same to your Amazon account, which may be linked to Twitch depending on how you signed up.