Twitch’s hacking worries aren’t over – The data leak was just “part 1”

Yesterday, it was confirmed that Twitch’s security had been compromised, with over 125GB of files leaking onto the web through 4chan. This data included Twitch’s source code, the earnings of top streamers and a planned Steam-like gaming client codenamed “Vapor”.  

Twitch has acknowledged that they have been hacked and that the files released online are legitimate. However, the company has stated that there is “no indication that login credentials have been exposed”, and that “full credit card numbers are not stored by Twitch”. This means that credit card details were not exposed, though Twitch has not confirmed that hackers have not accessed login credentials. As such, we recommend that Twitch users change their passwords to ensure that their accounts, and associated accounts, are safe. 

What’s more worrying is that yesterday’s leak was labelled at “part 1”, suggesting that more of Twitch’s data may be leaked in the future. User data was not included in Twitch’s 125GB data leak, which means that Twitch’s hackers may have more problematic data to share. If yesterday’s leak was just “part 1”, Twitch’s worries are far from over. 

Currently, Twitch is actively investigating the hack, but security experts are appalled that over 100GB of data could be taken from Twitch without their security spotting it. Below is a comment from Archie Agarwal, CEO of ThreatModeller, to Threatpost. Twitch’s security team has a lot to answer for.  

    Reading of a data breach that includes the entire source code, including unreleased software, SDKs, financial reports and internal red-teaming tools will send a shudder down [the spine of] any hardened infosec professional,

This is as bad as it could possibly be.

The first question on everyone’s mind has to be: How on earth did someone exfiltrate 125GB of the most sensitive data imaginable without tripping a single alarm?” he asked. “There’s going to be some very hard questions asked internally.