Twitch confirms data breach following massive leak

Video game streaming platform Twitch confirmed a data breach Wednesday, hours after an approximately 130 GB torrent was posted to 4chan that claimed to be a massive leak of the platform.

Twitch disclosed the breach in a statement on Twitter.

"We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us," the tweet read.

Twitch, founded in 2011, is primarily utilized by content creators for video game streaming and e-sports. Creators typically earn revenue from ads, subscriptions and donations. Amazon acquired Twitch in 2014 for $970 million.

The Twitch leak which apparently motivated the disclosure was published to 4chan Wednesday morning, and allegedly contains "the source code from almost 6,000 internal Git repositories" including "the entirety of Twitch.tv," various Twitch clients, proprietary SDKs, internal red teaming tools, creator payout reports dating back to 2019 and more.

In the original post announcing the leak, which has since been deleted, leakers cited the Twitch community as a primary motive behind breach.

"Their community is also a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them," the post read, describing the current torrent as "part one."

It added, "Jeff Bezos paid $970 million for this, we're giving it away FOR FREE."

SearchSecurity has independently verified that links to a torrent affiliated with the apparent Twitch leak are available online.

Though Twitch has not said that the data is accurate, multiple streamers tweeted that the revenue numbers in the leak match their own.

Twitch responded to SearchSecurity's request for comment with a copy of the statement the company issued on Twitter, but it declined to answer questions or provide additional details about the breach.

UPDATE 10/7: Twitch published an update Thursday morning that attributed the breach to a server misconfiguration, though the company did not comment on the veracity of the leaked data.

"We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party. Our teams are working with urgency to investigate the incident," the company said in the statement. "As the investigation is ongoing, we are still in the process of understanding the impact in detail. We understand that this situation raises concerns, and we want to address some of those here while our investigation continues."

Twitch also said there was no evidence that any login credentials had been exposed. However, Twitch posted a second update Thursday morning that said all stream keys had been reset "out of an abundance of caution." The company said some users may have to manually update their streaming software with new keys.

Alexander Culafi is a writer, journalist and podcaster based in Boston.