The gaming platform reiterated that the incident was caused by a “server configuration change that allowed improper access by an unauthorized third party.”
They claimed Twitch passwords were not exposed in the breach and said they are “confident” that the systems storing Twitch login credentials, which are hashed with bcrypt, were not accessed, nor were full credit card numbers or ACH/bank information.
“The exposed data primarily contained documents from Twitch’s source code repository, as well as a subset of creator payout data. We’ve undergone a thorough review of the information included in the files exposed and are confident that it only affected a small fraction of users and the customer impact is minimal. We are contacting those who have been impacted directly,” the company said.
An unknown hacker leaked the entirety of Twitch’s source code among a 128 GB trove of data released on October 6.
The data included creator payouts going back to 2019, proprietary SDKs and internal AWS services used by Twitch, as well as all of the company’s internal cybersecurity red teaming tools.
While much of the press attention initially focused on the eye-popping revenues brought in by certain Twitch streamers, concern over the privacy and security of all Twitch streamers began to grow in the days following the attack.
Experts warned that all Twitch streamers needed to take immediate actions to protect their bank accounts and themselves from a potential wave of attacks by opportunistic cybercriminals. Twitch eventually announced that it was resetting all stream keys, directing streamers to this website for new stream keys.
The unknown hacker behind the attack claimed it was because of the platform’s lackluster response to complaints about racism, homophobia and abuse directed toward minority gamers in what are called “hate raids.”
The hacker said Twitch’s community is “a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them, and in part one, are releasing the source code from almost 6,000 internal Git repositories.”
The original note said the initial release was only the first section of the stolen data.