Hackers have accessed Twitch and leaked a vast amount of company data, including proprietary code, creator payouts and the "entirety of Twitch.tv." Twitch confirmed the breach in a tweet Wednesday morning, but did not provide further details.
On top of of the Twitch.tv code, the attackers said they stole the the site's mobile, desktop and console Twitch clients. It also accessed "proprietary SDKs and internal AWS services used by Twitch," other properties like IGDB and CurseForge, an unreleased Steam competitor from Amazon Game Studios (code-named Vapour) and Twitch SOC internal red-teaming tools. It also shows creator payouts from 2019 until now, including top streamers like Nickmercs, TimTheTatMan and xQc .
We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.— Twitch (@Twitch) October 6, 2021
Although we haven't verified the claim that "the entirety" of Twitch's source code has been leaked, the files in the 126GB repository do appear to be genuine, and the payout figures for almost 2.4 million streamers seem to be present. The hackers said that the leak, which includes source code from almost 6,000 internal Github repositories, is also just "part one" of a larger release.
It doesn't appear that information like user passwords, addresses and banking information were revealed, but that can't be ruled out in a future drop. If you have a Twitch account, you should activate two-factor authentication so that bad actors can't log into your account if your password has been stolen.
The group also stated that Twitch's community is a "disgusting toxic cesspool," so the action may be related to recent hate raids that prompted streamers to take a day off in protest. Twitch has previously said that it's trying to stop the hate raid problem but that it wasn't a "simple fix."
It's not clear yet how attackers could have stolen such a large amount of data, especially considering that Twitch is owned by Amazon, which operates one of the largest web-hosting companies in the world.
Update (10/6/21, 11:33am ET): This post has been updated to reflect that Twitch confirmed on Wednesday that the breach took place.