Every day, millions of viewers use Twitch to watch their favorite streamers play games, talk, or whatever else. But on Wednesday, Twitch was shaken by a massive security breach: virtually the entire website has been leaked, uploaded by an anonymous user in a freely accessible 135 GB torrent.
Twitch has confirmed that the breach is real, and the company says it’s “working with urgency to understand the extent of this.” But the extent already seems to be pretty huge. As far as we can tell, the leak includes the entirety of the Twitch code (with history going back to its early beginnings), 3 years’ history worth of creator payouts, as well as data on other Twitch properties (including IGDB, CurseForge, and a yet-unreleased Steam Competitor).
Already, several streamers have confirmed that their leaked earnings are accurate — and since important parts of the leak have already been confirmed, it’s probably safe to assume we’re dealing with a legitimate leak, not a fake. Furthermore, as the leaker said this is just “part 1” of the leak, we’ll read more about this in the coming days.
For Twitch, the leak does not appear to be devastatingly sensitive. Users’ personal data doesn’t appear to have been leaked (although it’s always a good idea to change passwords after a major leak) and Twitch’s competitive advantage lies in its brand rather than its source code. In fact, it may be streamers that are worse off after this leak, with their earnings publicly leaked.
Variety streamer and host Brandon Stennis (iamBrandon) expressed disbelief at how badly Twitch, a company valuated close to $4 billion, handled the situation:
“With a big leak breach like Twitch has, why didn’t they email this information to people and only talked about it on Twitter? I mean its a bit of a huge deal if information like this is out. Not everyone is on Twitter,” Stennis said.
Others were able to find humor in the situation. Jack Manifold (JackManifoldTV) quipped:
“It is completely unfair that I am that far down the list, and I will be doing everything in my power to pump up that number going forward; for you guys!”
Meanwhile, another popular streamer, Charles White Jr. (moistcr1tikal) expressed surprise at the public reaction to the leaked earning, explaining that it’s not hard to estimate, to a reasonable extent, how much a streamer was making. Ludwig Anders Ahgren (ludwig), one of the big earners, jokingly used this to tell another streamer “don’t speak unless spoken to, #486.” If you’re curious, the top-winning channel (according to the leak) is Critical Role — a channel operated by a self-described “bunch of nerdy-ass voice actors” who stream everything from Dungeons & Dragons to talk shows to lo-fi music. The channel made almost $10 million in the past two years.
It’s still not entirely clear what has caused the leak or how much data was actually taken. In a statement on a blog post, Twitch blamed a “server error” as the cause for the leak:
“We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party. Our teams are working with urgency to investigate the incident.
“As the investigation is ongoing, we are still in the process of understanding the impact in detail. We understand that this situation raises concerns, and we want to address some of those here while our investigation continues.”
While some were able to joke about it, Twitch likely isn’t laughing. As gaming and streaming evolve and become truly mainstream components of online media, there’s a lot of money to be made (or lost) in the industry. In the western world, Twitch may be the undisputed king of streaming, but it’s had growing criticism from the streamers themselves — and this is unlikely to help make things better.
If you do have a Twitch user, it’s probably best to change your password and set up two-factor authentication.