Things that are not PogChamp: Amazon's Twitch has its source code, streamer payout data leaked

Fingers 'server config' error that allowed 'malicious third party' to peruse files


Updated Links to torrents that contain 128GB of data seemingly pulled from the Amazon-owned Twitch streaming service have been posted to 4chan.

Without a trace of irony, the anonymous poster described Twitch as "a disgusting toxic cesspool," and linked to the data, which they alleged contains the source code for the Twitch site, references to a Valve Steam marketplace competitor called Vapour, other bits of released and unreleased software, and data on payouts made to Twitch creators.

Twitter user Sinoc229 posted a lengthy thread detailing the content of the files. Elliot Padfield of creator "incubator" Padfield Ventures, who's also had a browse through the documents, told The Register: "I believe the leak is legitimate... the codebase appears to be real."

Padfield was less sure about the per-user earnings, which he reckoned would cause a lot of drama: the figures given run into millions of dollars for Twitch's top streamers over the past two years from paying subscribers and other sources. That said, a leak of its internal code could cost Twitch far more in terms of competitive advantage.

Comedian and writer Richard Herring, who has been a creator on Twitch thanks in part to the pandemic-induced closure of live venues, features in the earnings list. He noted that his figure "seems high" before pondering what chunks might be extracted before an actual payment is made. There is also likely the best part of two years' worth of earnings in many of the totals being shared on social media.

A breakdown of the data shared with The Register by Troy Hunt, Microsoft regional director and developer security MVP, showed the payouts that were seemingly leaked went from August 2019 until this month. Hunt pointed out that the torrent was compressed data and so very sizeable. He also warned that it "will take a while to sift through and verify."

For now, it doesn't seem that user passwords, addresses or banking information were spilled, although the posted data does include multiple zip files supposedly detailing "payouts\all-revenues", with others titled "devtools", "chat" and, intriguingly, "kevinbacon".

Herring didn't think the leak, while potentially annoying, would stop him from using Twitch, and he told The Register: "For me it's just a convenient place to try out off-the-wall ideas (and in lockdown to give extra content to people) and the money goes back into making more content via our podcast company."

Neither Twitch nor parent firm Amazon responded to our multiple requests for comment and neither had made any public statement on any platform about the issue at the time of publication.

It's fair to say its social media orifice, at least, was quick to comment earlier this week when things went wrong for another social network. Not ageing so well, is it folks?

You can contact the author of this article directly here. ®

Updated to add at 15:32 UTC

Twitch has made a statement: "We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us."

Updated to add on 7 October

Like other, er, companies we could mention, Amazon's Twitch has blamed a "configuration" snafu for its woes.

In an update overnight, the firm said it had "learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party."

It added that it had "no indication that login credentials" had been exposed.

"Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed."

The firm has reset all stream keys.

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2021