Image: FREDERIC J. BROWN / AFP via Getty Images
Piracy. Disinformation. Monitoring. CYBER is Motherboard’s podcast and feature story on the dark underbelly of the Internet.
On Wednesday, an anonymous poster posted 135 gigabytes of stolen internal data on Twitch, Amazon’s streaming platform. The leak manager said this was the “first part” of the leak, but did not say what else might happen.
The leak, posted on 4chan, included source code, internal tools, and most importantly, spreadsheets that detail how much money each streamer on the platform (including Twitch’s biggest stars) earns.
Motherboard began scanning some of the files within the breach and spoke to a former member of the Twitch security team, who believes the source code and stolen scripts are not extremely sensitive. What is Sensitive is the data on the income of the streamers and any potential personal information about the streamers that might come in future parts of the leak.
In a tweet, Twitch confirmed the breach.
“Our teams are urgently working to understand the extent of this,” the company wrote. “We will update the community as more information becomes available.”
Scott hellyer, one of the streamers whose data is in the leak, told Motherboard about the damage the leak would cause her.
“I really hope that no important personal information (full names, emails, address, phone number, banking information) is leaked in the next part of the leak,” he said. “People are going to be hassled for this information because it now fully confirms what some sites have tried to figure out through robot scanning channels. Real dollar values will cause people to think differently about who they are looking at if that cannot. not be discussed / disclosed unfortunately. “
It is “very unlikely that there is anything to worry about on the security side unless it is introduced after I left a year and a half ago.”
“The next step for me is to communicate with my community about online safety and how to stay safe. the limits of what I can say because of my contract) “, he added.
One of the biggest streamers on the platform, Hasan Piker, instantly released his earnings data and started following trends on Twitter. “I just woke up to some funny news,” he said tweeted. “I can’t wait for ppl to be mad at me again about my publicly available subscriber account.”
Do you work at Twitch? Do you have more information about this violation? Streaming on Twitch and have been affected by this leak? We would love to hear from you. Using a non-professional phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at [email protected] or by email at [email protected]
In addition to data from the streamers, the leak includes data from Twitch’s security team, such as diagrams drawn on a whiteboard of the company’s “threat model” (which notably did not include 4chan) and various scripts that it uses for security purposes. Some of the source code and diagrams are several years old, but the revenue data includes information from recent years and is as recent as recent months.
Thomas Shadwell, a former Twitch security engineer, told Motherboard that the leaked security-related data is not that sensitive, and most of it is several years old.
“The security related code in the ‘infosec’ folder is code I wrote many years ago to standardize security code in several key projects we were working on,” Shadwell said in a chat. line. “The code itself has been largely replaced by code that is maintained by the core Twitch engineering teams, rather than myself.”
Shadwell added that it is “very unlikely that there is anything to worry about on the security side unless it was introduced after I left a year and a half ago” and that “the actual trade-off is probably not greater than what’s in the drip, since there was a very big effort to move all secrets out of the source code.”
Regarding the non-security source code that was leaked, Shadwell said it was Twitch source code, “but we worked hard to make sure there was nothing sensitive in the source, so the problem is probably mostly with the IP. “
In other words, this Twitch hack and leak may be worse for streamers and content creators than for the company itself.
“If the income issue is real, I think it’s sad. People deserve that kind of privacy,” Shadwell said.
“Streamers already have a high threat model as they are in the public eye and constantly face harassment and cyber threats (like SIM swaps, crush attacks, unwanted food deliveries, etc.). The leakage of personal income details from these streamers is unfortunately increasing. their threat model even more, ”Rachel Tobac, CEO of SocialProof Security, told Motherboard during an online chat. “Cybercriminals often target people whose net worth is definitely high – now that this Twitch payment data is public, crooks can attempt to perform account hacks on Twitch streamers’ financial services accounts and steal that money. “
Tobac suggested that streamers lock down their financial services as soon as possible.
“PayPal and their bank should have a strong, unique, and long password (and shouldn’t be reused anywhere) and they’ll want to upgrade their MFA to the strongest form available (at least app-based MFA, from preferably a security key (although this is not available for many financial institutions), ”she said.
Subscribe to our new cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.