42 votes

The entirety of Twitch has reportedly been leaked

21 comments

  1. [4]
    riQQ
    Link

    The leaked Twitch data reportedly includes:

    • The entirety of Twitch’s source code with comment history “going back to its early beginnings”
    • Creator payout reports from 2019
    • Mobile, desktop and console Twitch clients
    • Proprietary SDKs and internal AWS services used by Twitch
    • “Every other property that Twitch owns” including IGDB and CurseForge
    • An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios
    • Twitch internal ‘red teaming’ tools (designed to improve security by having staff pretend to be hackers)
    15 votes
    1. [2]
      vord
      Link Parent
      On one hand, I'm massively curious, that's a treasure trove of potentially great code. On the other hand, potentially facing the wrath of Amazon for possesing such a thing feels risky. Also,...

      On one hand, I'm massively curious, that's a treasure trove of potentially great code.

      On the other hand, potentially facing the wrath of Amazon for possesing such a thing feels risky.

      Also, wasn't there already free games with Twitch prime before? Or am I mis-remembering? The article seems to indicate this was a completely new thing.

      7 votes
      1. AugustusFerdinand
        Link Parent
        I didn't see where they implied it was a new thing, but yes, there are many free games on Twitch prime. I go in and claim them on a somewhat regular basis, but I've never actually installed any of...

        Also, wasn't there already free games with Twitch prime before? Or am I mis-remembering? The article seems to indicate this was a completely new thing.

        I didn't see where they implied it was a new thing, but yes, there are many free games on Twitch prime. I go in and claim them on a somewhat regular basis, but I've never actually installed any of them. I only just installed the 'Amazon Game Store' to be able to see what I have and apparently I've claimed 238 games at this point.

        10 votes
    2. babypuncher
      Link Parent
      Oh hell not another one. At least it probably won't be as half-baked as EGS.

      An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios

      Oh hell not another one. At least it probably won't be as half-baked as EGS.

      3 votes
  2. spit-evil-olive-tips
    Link
    an excellent, though partially paywalled summary by Casey Newton has this in the "free preview" section:

    an excellent, though partially paywalled summary by Casey Newton has this in the "free preview" section:

    But according to the former engineers I spoke with, Twitch had a notoriously lax approach to internal security that, in the view of some, made an incident like today’s more likely.

    Among the issues they identified:

    • The company did not develop an effective model to counter internal threats — that is, employees who might seek to steal data or cause other problems.

    • Every engineer could clone every code repository, making it possible for someone to essentially copy and paste the entire code base.

    • Despite being owned by Amazon since 2014, Twitch still has its own information security practices, which are generally weaker.

    “No other company has this level of facepalm,” one engineer told me. (One further illustration of their point: more than a year after leaving the company, their account still had a “staff” badge, granting it extra administrative privileges.)

    9 votes
  3. [4]
    streblo
    Link
    Someone has already made this: https://www.twitchearnings.com/ Pretty crazy at what some of the top earners are pulling although not together all surprising if you consider they are pulling in...

    Someone has already made this: https://www.twitchearnings.com/

    Pretty crazy at what some of the top earners are pulling although not together all surprising if you consider they are pulling in viewerships that used to sustain small television shows.

    8 votes
    1. [3]
      teaearlgraycold
      Link Parent
      Looks like it's been taken down.

      Looks like it's been taken down.

      4 votes
      1. [2]
        DaveJarvis
        Link Parent
        https://web.archive.org/web/20211007001100/https://www.twitchearnings.com/
        4 votes
        1. teaearlgraycold
          Link Parent
          Thanks! The search even works. Nothing here is surprising. You can already reach something close to these numbers if you know a channel’s subscriber count.

          Thanks! The search even works.

          Nothing here is surprising. You can already reach something close to these numbers if you know a channel’s subscriber count.

          2 votes
  4. emnii
    Link
    Update from Twitch: https://blog.twitch.tv/en/2021/10/06/updates-on-the-twitch-security-incident/

    Update from Twitch: https://blog.twitch.tv/en/2021/10/06/updates-on-the-twitch-security-incident/

    [10:30PM PT] We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party. Our teams are working with urgency to investigate the incident.

    As the investigation is ongoing, we are still in the process of understanding the impact in detail. We understand that this situation raises concerns, and we want to address some of those here while our investigation continues.

    At this time, we have no indication that login credentials have been exposed. We are continuing to investigate.

    Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed.

    8 votes
  5. [9]
    knocklessmonster
    Link
    A moderator in a streamer's discord recommended doing the following for anybody with an account: Change password Change stream key (even if not a streamer) Enable 2FA I did all three (apparently...

    A moderator in a streamer's discord recommended doing the following for anybody with an account:

    • Change password
    • Change stream key (even if not a streamer)
    • Enable 2FA

    I did all three (apparently didn't have 2FA), but also don't think they got passwords? It's been suggested as a possibility, though.

    5 votes
    1. emnii
      Link Parent
      I hope everyone making all these changes intends on doing it again once Twitch confirms they've identified the source of the breach and contained it. Otherwise you're risking having all these...

      I hope everyone making all these changes intends on doing it again once Twitch confirms they've identified the source of the breach and contained it. Otherwise you're risking having all these things leaked again, maybe without notice, because Twitch hasn't kicked out the attacker.

      8 votes
    2. Pistos
      Link Parent
      Good call on the stream key. Didn't think of that. Thanks. re: passwords: My assumption is that they didn't get plaintext passwords, only encrypted hashes. Nevertheless, those are brute-forceable,...

      Good call on the stream key. Didn't think of that. Thanks.

      re: passwords: My assumption is that they didn't get plaintext passwords, only encrypted hashes. Nevertheless, those are brute-forceable, etc. so... changing password is still a good idea.

      3 votes
    3. [3]
      sron
      Link Parent
      Ah, Twitch 2FA is such an arse though. I enabled it and added it to Authy when I used that - then decided to use an open source alternative instead, and transferred my 2FA tokens over. Twitch...

      Ah, Twitch 2FA is such an arse though. I enabled it and added it to Authy when I used that - then decided to use an open source alternative instead, and transferred my 2FA tokens over. Twitch seemed to use some sort of algorithm specific to Authy with a 7 digit code rather than a 6 digit code so I disabled and re enabled 2FA on my account, and this time it gave me a normal secret generating 6 digit codes that I could add to my new app. Great!

      Everything worked okay at this point. Using the new app, my codes were authenticating me on Twitch as I'd expect. Then I deleted my Authy account, and the codes stopped working. Twitch Support were of no help either.

      Thankfully Authy waits 30 days to actually delete your codes, so I decided to cancel the deletion and try porting it over again. And, as if by magic, the codes I already had started working again.

      Maybe 2FA on Twitch is in some way tied to Authy, as if it is the only 2FA app there is, and with no option to use an alternative without an active Authy account. I have no idea. But I think Twitch 2FA does require your phone number, as does Authy, so that might go some way towards explaining it.

      How was your experience with it?

      2 votes
      1. an_angry_tiger
        Link Parent
        I just enabled it for two accounts, added it to 1Password with the click of the "Scan QR Code" button and everything worked fine.

        I just enabled it for two accounts, added it to 1Password with the click of the "Scan QR Code" button and everything worked fine.

        1 vote
      2. knocklessmonster
        Link Parent
        I had an issue using the codes they texted me to enable 2fa but got it enabled via Google Authenticator (my go-to) after a few tries.

        I had an issue using the codes they texted me to enable 2fa but got it enabled via Google Authenticator (my go-to) after a few tries.

        1 vote
    4. [3]
      teaearlgraycold
      Link Parent
      If they have password wouldn’t they also have all 2FA secrets?

      If they have password wouldn’t they also have all 2FA secrets?

      1 vote
      1. Deimos
        Link Parent
        It's definitely possible, so it would be best to deactivate 2FA if it was already on and re-activate to get a new secret. If someone didn't have it on before, activating it now is a good idea.

        It's definitely possible, so it would be best to deactivate 2FA if it was already on and re-activate to get a new secret. If someone didn't have it on before, activating it now is a good idea.

        6 votes
      2. knocklessmonster
        Link Parent
        I hadn't considered that, I should mention something in that channel about it,. the idea hadn't even occurred to me. I guess I'm an accidental beneficiary of not having 2FA on in 2019.

        I hadn't considered that, I should mention something in that channel about it,. the idea hadn't even occurred to me.

        I guess I'm an accidental beneficiary of not having 2FA on in 2019.

        2 votes
  6. teaearlgraycold
    (edited )
    Link
    I downloaded the torrent. Lots of interesting things inside. It looks like the leak includes .pem files for Twitch and Amazon (just internal stuff - one identifies as "Amazon.com Internal Root...

    I downloaded the torrent. Lots of interesting things inside.

    It looks like the leak includes .pem files for Twitch and Amazon (just internal stuff - one identifies as "Amazon.com Internal Root Certificate Authority" and expires in 2027). I don't know how to check if it includes the private key. But my favorite thing is the Domino's pizza ordering client written in Go. It'll let you find nearby stores, list prices and place orders all from the command line!

    They've also got their software engineer interview questions in there. I'm sure at least one person will check those out in advanced. One question has candidates use the live Twitch API which I think is neat. I haven't seen a company do that in an interview before.

    Edit:

    I love that their chat pre-processor service (which includes auto-moderation checks) is called Prism.

    And the micro-service for reporting similar channels is called "Kevin Bacon".

    5 votes
  7. ali
    Link
    This is a fun week for fuckups of gigantic proportions.

    This is a fun week for fuckups of gigantic proportions.

    28 votes