"We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party. Our teams are working with urgency to investigate the incident."
The statement continued: "As the investigation is ongoing, we are still in the process of understanding the impact in detail. We understand that this situation raises concerns, and we want to address some of those here while our investigation continues."
Twitch further indicated that login credentials were exposed, adding: "We are continuing to investigate. Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed."
Sources claim that Twitch has been hacked, leaking user passwords, stream keys, source code, as well as payment information and earnings reports of hundreds of popular streamers (such as Critical Role, Felix "xQc" Lengyel, Summit1g, NICKMERCS and more) since August 2019 to present.
The leak was publicized after an anonymous hacker posted a 125 GB torrent link on 4chan on 6th October, which subsequently spread like wildfire on social media. The hacker reportedly intended the leak to "foster more disruption and competition in the online video streaming space," citing the reason being that "the community is a disgusting toxic cesspool."
Included in the leak was also source code for an unreleased Steam competitor, codenamed "Vapor", from Amazon Game Studios and much more. While we are currently unable to verify the contents of the leak, we are assured by the Video Games Chronicle that the hack is indeed legitimate. Several other users on Twitter have also reportedly begun to digest the contents of the torrent file.
Twitch hacked: all reported streamer earnings
These are the alleged gross payouts of the top 100 streaming personalities on Twitch from August 2019 until October 2021, sourced from the leak. These totals are said to not include donations, sponsors, merch or tax deductions, but rather their payout directly received from Twitch.
The gross payouts of the top 100 highest-paid Twitch streamers from August 2019 until October 2021: pic.twitter.com/3Lj9pb2aBl— KnowSomething (@KnowS0mething) October 6, 2021
Since August 2019, CriticalRole has topped the rankings with an alleged earning of $9.6 million USD, followed closely by xQc, with $8.4 million and then Summit1g, with $5.9 million.
World of Warcraft icon, Asmongold, reportedly earned $2.5 million, whilst Imane "Pokimane" Anys raked in $1.5 million. Asmongold recently commented on the leak and said that he "doesn't give a f***" about the and that his leaked earnings were incorrect.
Twitch hacked: all contents of the leak
The leak is said to include the following information, however, it is also reported that the 125 GB file dump may also contain other private and intellectual properties.
- All of the Twitch source code, since its inception as JustinTV.
- Twitch source code for mobile, desktop and console clients.
- Source code for proprietary SDKs and internal Amazon Web Service elements used by Twitch.
- Creator payout reports and earnings since August 2019.
- All other Twitch properties, such as IGDB and CurseForge.
- An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios.
Grabbed Vapor, the codename for Amazon's Steam competitor. Seems to intigrate most of Twitch's features as well as a bunch of game specific support like fortnite and pubg.— Sinoc (@Sinoc229) October 6, 2021
Also includes some Unity code for a game called Vapeworld, which I assume is some sort of VR chat thing. pic.twitter.com/4KeeEOspyQ
- Twitch's internal security tools, namely their "red teaming" tools that were designed to improve security by having staff pretend to be hackers.
The present hack is reportedly labelled "Part One," which suggests that the hacker has access to even more of Twitch's data.
Although Twitch has yet to issue a public statement at the time of writing, it is noted that they are aware of the hack.
In the interim, we strongly advise you to change your stream keys and login passwords, as well as enable 2-Factor Authentication on your account.
We'll be sure to update you as soon as more details regarding the breach have been released.