PCWorld (USA)

Massive Twitch hack reveals source code, creator payouts, and a Steam rival

Change your passwords pronto!


Well, this is bad. Twitch, the ultra-popular streaming site, appears to have been hacked. An anonymous leaker on the 4chan message boards released a 125GB torrent that allegedly contains source code for the streaming service, along with payout informatio­n for creators and details about an unreleased Amazon Steam rival dubbed “Vapor.”

You can’t trust anonymous hackers at their word, but noted security journalist Catalin

Cimpanu of The Record ( fave.co/3drtglv) downloaded some of the files and confirmed that “the content of the leak is in tune with what the hacktivist­s claimed to have shared.” Meanwhile, security researcher Troy Hunt has compiled a Twitter thread ( fave.co/3lsinuc) of various Twitch streamers confirming that the payout data is legitimate, and Video Game Chronicles ( fave.co/2yxmlno) says “an anonymous company source” told them that “the leaked data is legitimate, including the source code for the Amazon-owned streaming platform.”

We’ve reached out to Twitch for confirmati­on, but this hack certainly appears legit. We will not be linking to the torrent. The files allegedly contain a treasure trove of deeply held secrets, including:

• Three years’ worth of payout informatio­n to creators

• Twitch source code “with commit history going back to its early beginnings”

• Source code for Twitch’s desktop, console, and mobile game clients

• An unreleased Steam competitor code-named “Vapor” by Amazon Game Studios

• Informatio­n about other properties Twitch owns, such as Curseforge, along with SDK and internal Amazon Web Services tools used by Twitch

The poster said the leak was intended

“to foster more disruption and competitio­n in the online video streaming space,” because Twitch’s community is “a disgusting toxic cesspool.”

Fortunatel­y, user passwords don’t appear to be part of the files, but the leak was labeled “part one,” and Cimpanu notes that the torrents include folders “holding informatio­n about Twitch’s user identity and authentica­tion mechanisms, admin management tools, and data from Twitch’s internal security team, including whiteboard­ed threat models describing various parts of Twitch’s back-end infrastruc­ture.”

Between that informatio­n, and the fact that the source code for the site and its various clients were released, we highly recommend changing your Twitch password and enabling two-factor authentica­tion for the site, just in case user data was—or will be—compromise­d in some way. Head to Twitch’s security settings page ( fave.co/3dnwsi0) to adjust both.

Our guides to the best password managers ( fave.co/3lrkfrz) and 2FA solutions ( fave. co/3jemfgu) can help you set up strong protection­s if you’re unfamiliar with either technology. They’re both vital in the breach-rife modern world.

And if you’re a content creator who streams to Twitch, ensure that your banking credential­s also use a strong, unique password and are protected by two-factor authentica­tion if possible. This leak shouldn’t jeopardize those credential­s in any way, but better safe than sorry.

 ?? ??

Newspapers in English

Newspapers from United States