Twitch has confirmed that it has suffered a major data breach, and that a hacker accessed the company’s servers thanks to a misconfiguration change. “We can confirm a breach has taken place,” says a Twitch spokesperson on Twitter. “Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available.”
Twitch admits a hacker was able to access data that was mistakenly exposed to the internet “due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.” The company says it has “no indication that login credentials have been exposed,” and that “full credit card numbers were not exposed.”
Hackers have so far leaked data that includes source code for the company’s streaming service, an unreleased Steam competitor from Amazon Game Studios, and details of creator payouts. An anonymous poster on the 4chan messaging board released a 125GB torrent earlier today, which they claim includes the entirety of Twitch and its commit history.
We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.— Twitch (@Twitch) October 6, 2021
The leak has been labeled as “part one,” suggesting that there could be more to come. While personal information like creator payments is included, this initial leak doesn’t appear to include passwords, addresses, or email accounts of Twitch users. Instead, the leaker appears to have focused on sharing Twitch’s own company tools and information, rather than code that would include personal accounts.
It’s not clear how much data has been accessed, though. Twitch says it’s still working to understand its security breach, and it appears that some users are being asked to change their passwords. Twitch has also reset all stream keys on its service. “Out of an abundance of caution, we have reset all stream keys,” says an email to all Twitch streamers.
While Twitch is still investigating and says there’s no indication login details were exposed, we’d still recommend changing your Twitch password and enabling two-factor authentication if you haven’t already done so.
The Twitch leak will be damaging for the game streaming service either way and particularly for creators who rely on Twitch to keep their earnings and information secure. The hack follows weeks of protest for Twitch to improve its service under the #DoBetterTwitch movement. Twitch streamers also took a day off in August to protest against the company’s lack of action against hate raids.
Update, October 6th 11:32AM ET: Article updated with information on password resets.
Update, October 7th 3:25AM ET: Article updated with a new statement from Twitch, confirming it was hacked.