Things that are not PogChamp: Amazon's Twitch has its source code, streamer payout data leaked

Fingers 'server config' error that allowed 'malicious third party' to peruse files


Updated Links to torrents that contain 128GB of data seemingly pulled from the Amazon-owned Twitch streaming service have been posted to 4chan.

Without a trace of irony, the anonymous poster described Twitch as "a disgusting toxic cesspool," and linked to the data, which they alleged contains the source code for the Twitch site, references to a Valve Steam marketplace competitor called Vapour, other bits of released and unreleased software, and data on payouts made to Twitch creators.

Twitter user Sinoc229 posted a lengthy thread detailing the content of the files. Elliot Padfield of creator "incubator" Padfield Ventures, who's also had a browse through the documents, told The Register: "I believe the leak is legitimate... the codebase appears to be real."

Padfield was less sure about the per-user earnings, which he reckoned would cause a lot of drama: the figures given run into millions of dollars for Twitch's top streamers over the past two years from paying subscribers and other sources. That said, a leak of its internal code could cost Twitch far more in terms of competitive advantage.

Comedian and writer Richard Herring, who has been a creator on Twitch thanks in part to the pandemic-induced closure of live venues, features in the earnings list. He noted that his figure "seems high" before pondering what chunks might be extracted before an actual payment is made. There is also likely the best part of two years' worth of earnings in many of the totals being shared on social media.

A breakdown of the data shared with The Register by Troy Hunt, Microsoft regional director and developer security MVP, showed the payouts that were seemingly leaked went from August 2019 until this month. Hunt pointed out that the torrent was compressed data and so very sizeable. He also warned that it "will take a while to sift through and verify."

For now, it doesn't seem that user passwords, addresses or banking information were spilled, although the posted data does include multiple zip files supposedly detailing "payouts\all-revenues", with others titled "devtools", "chat" and, intriguingly, "kevinbacon".

Herring didn't think the leak, while potentially annoying, would stop him from using Twitch, and he told The Register: "For me it's just a convenient place to try out off-the-wall ideas (and in lockdown to give extra content to people) and the money goes back into making more content via our podcast company."

Neither Twitch nor parent firm Amazon responded to our multiple requests for comment and neither had made any public statement on any platform about the issue at the time of publication.

It's fair to say its social media orifice, at least, was quick to comment earlier this week when things went wrong for another social network. Not ageing so well, is it folks?

You can contact the author of this article directly here. ®

Updated to add at 15:32 UTC

Twitch has made a statement: "We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us."

Updated to add on 7 October

Like other, er, companies we could mention, Amazon's Twitch has blamed a "configuration" snafu for its woes.

In an update overnight, the firm said it had "learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party."

It added that it had "no indication that login credentials" had been exposed.

"Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed."

The firm has reset all stream keys.

Similar topics


Other stories you might like

  • Research finds consumer-grade IoT devices showing up... on corporate networks

    Considering the slack security of such kit, it's a perfect storm

    Increasing numbers of "non-business" Internet of Things devices are showing up inside corporate networks, Palo Alto Networks has warned, saying that smart lightbulbs and internet-connected pet feeders may not feature in organisations' threat models.

    According to Greg Day, VP and CSO EMEA of the US-based enterprise networking firm: "When you consider that the security controls in consumer IoT devices are minimal, so as not to increase the price, the lack of visibility coupled with increased remote working could lead to serious cybersecurity incidents."

    The company surveyed 1,900 IT decision-makers across 18 countries including the UK, US, Germany, the Netherlands and Australia, finding that just over three quarters (78 per cent) of them reported an increase in non-business IoT devices connected to their org's networks.

    Continue reading
  • Huawei appears to have quenched its thirst for power in favour of more efficient 5G

    Never mind the performance, man, think of the planet

    MBB Forum 2021 The "G" in 5G stands for Green, if the hours of keynotes at the Mobile Broadband Forum in Dubai are to be believed.

    Run by Huawei, the forum was a mixture of in-person event and talking heads over occasionally grainy video and kicked off with an admission by Ken Hu, rotating chairman of the Shenzhen-based electronics giant, that the adoption of 5G – with its promise of faster speeds, higher bandwidth and lower latency – was still quite low for some applications.

    Despite the dream five years ago, that the tech would link up everything, "we have not connected all things," Hu said.

    Continue reading
  • What is self-learning AI and how does it tackle ransomware?

    Darktrace: Why you need defence that operates at machine speed

    Sponsored There used to be two certainties in life - death and taxes - but thanks to online crooks around the world, there's a third: ransomware. This attack mechanism continues to gain traction because of its phenomenal success. Despite admonishments from governments, victims continue to pay up using low-friction cryptocurrency channels, emboldening criminal groups even further.

    Darktrace, the AI-powered security company that went public this spring, aims to stop the spread of ransomware by preventing its customers from becoming victims at all. To do that, they need a defence mechanism that operates at machine speed, explains its director of threat hunting Max Heinemeyer.

    According to Darktrace's 2021 Ransomware Threat Report [PDF], ransomware attacks are on the rise. It warns that businesses will experience these attacks every 11 seconds in 2021, up from 40 seconds in 2016.

    Continue reading

Biting the hand that feeds IT © 1998–2021