Twitch, an Amazon-owned live-stream gaming service, has fallen victim to an anonymous hacker who breached 125GB of data, including the service’s entire source code.
A torrent link containing the data cache was posted on 4chan by an anonymous user on October 6, 2021. The hacker stated their motive was to “foster more disruption and competition in the online video streaming space” because “[Twitch’s] community is a disgusting toxic cesspool”.
The breach was first reported by The Video Games Chronicle on the same day and by Twitch’s official Twitter account shortly after.
Other sensitive data exposed by the breach include:
- Twitch creator payout details from the past three years
- Proprietary SDKs and internal AWS services used by Twitch
- An unreleased Steam competitor from Amazon Game Studio
- Twitch’s developer tools
- Twitch’s information security tools
- Data from other Amazon properties, such as IGCB and CurseForge
Additional personally identifiable information (PII) like credit card details and login credentials are not believed to have been exposed.
Twitch said the data exposure occurred due to a server configuration error, which was subsequently exploited in a cyber attack.
This marks the second major data breach for the gaming service since it was acquired by Amazon in 2014. In 2015, Twitch announced to users that “unauthorized access” may have compromised user account information, prompting all users to change their passwords.
Twitch is also not the only Amazon property to suffer as a result of cloud misconfiguration, with Amazon S3’s security settings leading to thousands of data breaches over the past four years alone.
This latest breach highlights the importance of implementing consistent vulnerability management processes as threat actors are constantly scanning for holes in network security.