Earlier this week, hackers got a hold of a huge cache of source code repositories, creator payouts and other internal data from Twitch, and published them online following a data breach.
The hack compromised accounts of many users, with the hacker sharing their personal information online. On Tuesday, a leaker shared a post claiming to take Twitch’s source code, proprietary SDKs, of software development kits that developers use to integrate Twitch into their apps and services.
Twitch confirmed the breach in a tweet on Wednesday. “We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available,” the tweet read.
To confirm their fears, Twitch users began seeing their personal information online. The data contains payouts for each Twitch user, some of which reach into the six-figures and more.
“I looked at a line from June 2019 and literally 100% match to the information showing on my analytics on my dashboard,” said one user.
The leak, which now exposes a vast number of streamers of the game giant, may represent a security risk, since it practically allows practically anyone to search for security vulnerabilities in the code. But it does not end there.
The leaker says the released cache is “part one,” which means there will be more data leaks. Now, hackers are exploiting the loophole, (frontend logic of the platform) to entertain themselves.
On Friday, hackers were able to deface the platform for a few hours, replacing many background game images with photos of Amazon founder, Jeff Bezos. Amazon bought Twitch for about $1 billion in 2014.
Users who jumped on the Amazon-owned service were greeted by closeup images of Jeff Bezos when searching. So games like GTA V, Dota 2, Apex Legends, Minecraft, Smite, Overwatch, Dead by Daylight, Final Fantasy XIV, and several others, were replaced by closeup images of Bezos.
The escalation of the hacks has left Twitch in unprecedented trouble, with the Amazon-owned company struggling to get a hold on it.
Though Twitch has been investigating the matter, it has only confirmed that a “malicious third party” had exploited an error in a server configuration change to perform the hack, and that sensitive information like credit card information wasn’t exposed. However, per Verge, several former employees said the situation is a lot more complicated than the company is willing to admit.
The breach has been attributed to the lax security architecture of the company. In September, Twitch streamers protested the company’s lack of action against “hate raids,” where bots are used to flood other streamers with hate and harassment.
One source claimed that the company had ignored all security warnings because it was scrambling to launch new features and grow the platform as quickly as possible. Right now, Twitch remains vulnerable, with information and code about its inner workings in the hands of a fun-catching third party, the exploitation is likely going to escalate soon as with every leak. This may just be the beginning.