An anonymous hacker has claimed to have leaked the entirety of Twitch, including its source code, user payout information, and encrypted passwords.
As reported in VGC, the hacker posted a 125GB torrent link to the online forum 4chan this morning (October 6) with the intent to “foster more disruption and competition in the online video streaming space” because “their community is a disgusting toxic cesspool”.
According to the 4chan post, the leak reportedly includes the following:
- Entirety of Twitch.tv, with comment history “going back to its early beginnings”
- Creator payout reports dating back to 2019
- Mobile, desktop and console Twitch clients
- Various proprietary SDKs and internal AWS services used by Twitch
- An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios
- Every other property that Twitch owns including IGDB and CurseForge
- Twitch internal ‘red teaming’ tools (designed to improve security by having staff pretend to be hackers)
The 4chan post also included the #DoBetterTwitch hashtag, similar to the hashtag originally used by Twitch streamers who went on strike last month in protest over the platform’s perceived lack of action over combatting online abuse and the spike in ‘hate raids’ against marginalised streamers. There is no evidence to suggest that the leak is related to the protests.
One anonymous company source has confirmed that the leaked data is legitimate, including the platform’s source code.
Some users have also begun sorting through data on the 125GB torrent, with one claiming that the it includes encrypted passwords, and recommending that users change their passwords and enable two-factor authentication.
https://t.co/7vTDeRA9vt got leaked. Like, the entire website; Source code with comments for the website and various console/phone versions, refrences to an unreleased steam competitor, payouts, encrypted passwords that kinda thing.
Might wana change your passwords.
— Sinoc (@Sinoc229) October 6, 2021
For those with a Twitch account, it’s recommended that you turn on two-factor authentication, so that even if your password is compromised, you still need your phone to prove your identity with either an SMS or an authenticator app.
To turn on two-factor identification:
- Log on to Twitch, click your avatar and choose Settings
- Go to Security and Privacy, then scroll down to the Security setting
- Choose Edit Two-Factor Authentication and then follow the instructions using your phone
NME has contacted Twitch for comment.
Elsewhere, Panzer Dragoon VR has reportedly been cancelled following false claims that the producer had died, which confusingly came from a now-deleted tweet via the game’s Twitter account.