‘Everything’ was described by one Twitter user as “Like, the entire website; Source code with comments for the website and various console/phone versions, references to an unreleased steam competitor, payouts, encrypted passwords that kinda thing.” They added unironically, “Might wana change your passwords.”
Might indeed.
Initially Twitch affiliated users were sceptical (on Twitter) as an initial payment database suggested some very generous payouts, but later data had multiple users confirming the data was a very close match to their own records.
According to HaveIBeenPwned’s Troy Hunt on Twitter, “The general consensus from the masses is "it's legit", but I'm yet to see any analysis yet. The torrent is being shared pretty extensively, it contains 278 files totalling 125GB *compressed* so it's sizeable.” Troy lists the alleged contents of the torrent here.
At the time of writing, there is nothing on the company web site to warn users of this issue.
|
For the uninitiated (this writer included, we had to talk to a nearby teenager), Twitch offers a real-time streaming service where (for instance) gamers can live-stream game-play to an audience of paid subscribers. Think of it as a live version of YouTube dedicated to noobs watching great players cruise though really difficult games (I -mostly- exaggerate).
Unconfirmed suggestions are that there was a connection to current Twitch data repositories in an uncontrolled link extracted from a GitHub repository.
Jarno Niemela, Principal Researcher, F-Secure notes, "This leak is very serious for Twitch, but the question is what effects this will have for the regular Twitch user.
"From what we currently know, is that as password hashes have leaked, all users should obviously change their passwords, and use 2FA if they are not doing so already.
"But as the attacker indicated that they have not yet released all the information they have, anyone who has been a Twitch user should review all information they have given to Twitch, and see if there are any precautions they need to make so that further private information isn’t leaked."
The following is speculation.
We don’t yet know the extent of the breach, but we do know that Twitch has extensive dox for all their affiliates. The release of that information could be very ‘interesting.’ Further, ALL affiliates ought to be awake to all manner of phishing and similar contacts in the future.
This is not speculation: Hint to all Twitch-connected people; whether content producers or consumers – change your password NOW. And if you haven’t invoked 2FA, do so immediately.