Amazon’s Twitch Suffers Data Leak, Users Called ‘Disgusting Toxic Cesspool’ by Hackers

Twitch has been hit by a massive data leak after an anonymous hacker posted a computer file containing a vast amount of data for the public to access.

Twitch, a video streaming service owned by Amazon, confirmed the data leak in a tweet:

“We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.”

We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.

— Twitch (@Twitch) October 6, 2021

According to CNBC, the Twitch data leak included details on payments to content creators and an unreleased product from Amazon Game Studios. The anonymous hacker said they were releasing the information to “foster more disruption and competition” in the streaming world. In addition, the hacker called the Twitch community a “disgusting toxic cesspool” in a post on 4chan.

Impact on Regular Twitch Users Unknown

Jarno Niemela is principal researcher at F-Secure. He said this leak is “very serious” for Twitch. However, the question remains how regular Twitch users will be affected.

F-Secure’s Jarno Niemela

“As password hashes have leaked, all users should obviously change their passwords, and use two-factor authentication (2FA) if they are not doing so already,” he said. “But as the attacker indicated that they have not yet released all the information they have, anyone who has been a Twitch user should review all information they have given to Twitch, and see if there are any precautions they need to make so that further private information isn’t leaked.”

Users should always be cautious of what kind of information they provide to any social media platform, Niemela said.

Hacktivist Likely Behind Attack

Marcus Fowler is director of strategic threat at Darktrace. He said the attacker appears to be a hacktivist working to damage Twitch for failing to take action against hate.

Darktrace’s Marcus Fowler

“This breach is on the heels of the mid-September hack against web-hosting company Epik, known for serving right-wing websites, continuing the emerging trend of malicious actors operating in line with their perceived ethical codes or social responsibilities,” he said.

Ongoing speculation points to this breach coming through a third-party provider to Twitch, Fowler said. That reminds companies that they are only ever as secure as their supply chain.

“In this case, as with so many cyberattacks, the ramifications are likely to be vast for Twitch, from both a reputational and financial standpoint,” he said. “The leak of the creator payloads would have been relatively straightforward, though time-consuming, to compute manually even before the leak. But collating these in one place has provided an extensive target list of individuals and organizations with high net worth for scammers to sift through.”

Hard Questions Coming

Archie Agarwal is founder and CEO of ThreatModeler, an automated threat modeling provider.

ThreatModeler’s Archie Agarwal

“Reading of a data breach that includes the entire source code, including unreleased software, SDKs, financial reports and internal red-teaming tools, will send a shudder down any hardened infosec professional,” he said. “This is as bad as it could possibly be. The first question on everyone’s mind has to be how on earth did someone exfiltrate 125 gigabytes of the most sensitive data imaginable without tripping a single alarm. There’s going to be some very hard questions asked internally.”

It appears at first glance this was a direct attack against Twitch rather than users, Agarwal said. However, it’s almost guaranteed user information will have been swept up in this breach. As a result, users will have to take the usual precautions of changing their account credentials and making sure they don’t use the same combination of credentials to access other services online.

Data Now Available to Twitch Competitors

Quentin Rhoads-Herrera is director of professional services at CriticalStart.

CriticalStart’s Quentin Rhoads-Herrera

“Now that the data has been released, there isn’t much Twitch can do,” he said. “They should try and prevent it from being put up on platforms like GitHub, BitBucket or other popular code/file sharing platforms. But the data is already out and will be shared forever through many different channels. What they can do is evaluate exactly what was stolen, reset user passwords that were compromised, and determine the risk to their IP and how it will impact their business overall. The largest risk to Amazon’s Twitch is the data that is now freely available to their competitors.”

Twitch may lose some user following and trust, Rhoads-Herrera said. The biggest impact is the leaked data that is unique to its intellectual property that could be leveraged by competitors.