Twitch Confirms Enormous Data Breach As Sensitive Data Appears Online

The video-game streaming giant says its security teams are ‘working with urgency’ to find out more about the incident.
Aaron Drapkin

Amazon-owned streaming service Twitch confirmed it suffered a huge data breach this week. A “human error” committed when configuring a server created an exploitable vulnerability that led to reams of confidential information being leaked online.

The breach makes Twitch – which employs over 5,000 people – the latest large business to fall victim to cybercrime this year; approximately 5 billion private business records were leaked from businesses between January and June of 2021 alone.

The theft of Twitch’s data is a grim reminder that breaches and attacks are becoming increasingly common and can have devastating effects. This puts even more onus on businesses to protect themselves and the information they hold.

What Was Leaked in the Twitch Breach?

Around 135 gigabytes of Twitch data was published online, including the source code for the streaming service (the foundational element of Twitch’s computer program) and sensitive information detailing how much creators have been paid by the platform.

Some of these financial records date back to over two years ago, prompting some experts to question exactly how long the vulnerability had existed for. Information relating to the streaming service’s security systems and infrastructure was also released online, as well as classified data about yet-to-be-released projects that Twitch is developing.

In a statement posted on the site, Twitch gave little away about precisely how the breach occurred, stating simply that a “server configuration change that was subsequently accessed by a malicious third party”.

Where Was Twitch’s Data Posted?

The data breach appeared on the controversial imageboard 4Chan with the ominous title ‘Twitch leaks part one’, leaving users and creators wondering whether the worst is still to come.

Referencing Amazon’s 2014 acquisition of the platform, the anonymous poster bragged: “Jeff Bezos paid $970 million for this, we're giving it away FOR FREE.” further comments suggested the leaker was motivated by a disdain for the Twitch community, which they described as a “disgusting toxic cesspool”.

One cybersecurity expert told the BBC that Twitch’s “entire digital footprint” was effectively stolen and published, subsequently suggesting it was one of the most damaging data leaks of late.

How Did Twitch Respond to the Breach?

The company confirmed that “some data was exposed to the internet due to an error” and assured users that the service’s “teams are working with urgency to investigate the incident.”

Twitch said it was “still in the process of understanding the impact in detail”, but wanted “to address [user concerns online] while our investigation continues”, confirming that account login details were not compromised.

“At this time, we have no indication that login credentials have been exposed. We are continuing to investigate” – Twitch statement

The streaming service – which has 30 million daily visitors – has also taken the cautionary step of resetting all stream keys for users. Twitch streamers can find this in the Stream sub-menu in Settings on the Creator Dashboard.

Stream of Large Data Breaches Continues

Twitch’s track record on security isn’t exactly squeaky clean, and Amazon will have to up its game considering Big Tech competitors have also made moves into the gaming market in recent years. Most recently, the platform struggled to contain ‘hate raids’, which involved streamers being spammed by bots spouting hate speech.

But they aren’t alone – according to the Identity Theft Resource Center, the volume of data breaches that have taken place this year has already exceeded that of 2020 with three months to spare. The average cost of a data breach to a US company is now a huge $8.64 million and rising.

Although it’s difficult to find a positive in a data breach, there is one thing Twitch did right that other businesses should take notice of. Twitch does not store full credit card numbers, so there was no risk of full credit card numbers being exposed during this leak.

This is a good security practice – if you don’t need to hold certain information for your platform, business or organisation to succeed, then don’t hold onto it. Another good practise businesses are carrying out to keep their information safe is ensuring employees are using Password Managers, with several providers now able to notify you immediately if one of your passwords is compromised.

Twitch wasn’t the first company to suffer a severe data breach this year, nor will it be the last. The news is, however, a cautionary tale to all businesses holding data. Hacking groups may strike fear into the hearts of CEOs and IT teams across the world – but the frequency of human error is just as terrifying.

This article was last updated on:
Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Aaron Drapkin is a Senior Writer at Tech.co. He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol three years ago. As a writer, Aaron takes a special interest in VPNs and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, The Week, and Politics.co.uk covering a wide range of topics. In his free time, Aaron likes to play guitar, attend as many music festivals as humanly possible, and suffer greatly for his support Arsenal F.C.

Explore More See all news
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals