Twitch blames error in server configuration for cyber attack

Twitch, a live streaming e-sports platform owned by, has blamed an error in server configuration change that might have allowed an alleged hacker to leak sensitive information.
Internet user on laptop
The video platform said it was still assessing the impact and that it had reset all stream keys, or codes that allow influencers and streamers to connect and publish content for users.

Video Games Chronicle had earlier reported that an anonymous hacker had claimed to have leaked Twitch’s data, including the source code and information on its clients and unreleased games.

Earlier this week, Facebook blamed a faulty configuration change during routine maintenance work at its data centers networks for the nearly six-hour outage, which prevented the company’s 3.5 billion users from accessing its social media and messaging services.

The social media giant later confirmed that the error was not due to any malicious activity.

“Facebook basically removed themselves from the Internet but they did not lose sensitive information. For Twitch, it was just bad fortune,” said Candid Wuest, an executive for cyber protection research at Acronis.

A configuration change, which essentially means a routine maintenance change of an IT infrastructure from turning a network drive on or off or giving it a new name, possibly allowed a third party to access Twitch’s data, Wuest said.

Twitch, a popular platform among video gamers where they interact with users while live streaming content, said there was no indication of any exposure of user login credentials. The platform also added that it does not store full credit card details.

The Twitch hacker’s motive was to foster more disruption and competition in the online video streaming space, according to the Video Games Chronicle report.

About 125GB of data was leaked, including details on Twitch’s highest-paid video game streamers since 2019 such as a $9.6 million payout to the voice actors of popular game Dungeons & Dragons and $8.4 million to Canadian streamer xQcOW, the report said.

“Twitch leak is real. Includes significant amount of personal data,” cyber security expert Kevin Beaumont tweeted.

Twitch, with over 30 million average daily visitors, has become increasingly popular with musicians and video gamers.

“Anytime source code gets leaked it’s not good and potentially disastrous. It opens a gigantic door for evil doers to find cracks in the system, lace malware, and potentially steal sensitive information,” Sundar Balasubramanian, Managing Director, Check Point Software Technologies, India & SAARC, said.

For October’s Cyber Security Awareness month, Check Point Research documented a 40 percent increase in cyber attacks this year, compared to 2020.

Candid Wuest, Acronis VP of Cyber Protection Research, said: “Can get much worse – a lot more damage now in store for Twitch. While yet unclear how the breach happened, it’s already harming Twitch on all the fronts that count – revenue, operations, users, influencers, market positioning.”

Leaked data could contain nearly the full digital footprint of Twitch, making it one of the most severe data breaches of late. The 125 GB of data leaked so far might just be the start. Internal network plans and marketing plans for future products could now be misused by attackers or sold to competitors.

“If the source code is exposed, we will see a spike in vulnerabilities discovered in related software. Having access to the source code makes it easy to find weak spots.”

“Releasing payout reports for streaming clients will not make the influencers happy either – dozens of Twitch streamers seem to have been paid over US$1 million each over time. For the users, an immediate password change & enabling of two-factor authentication are a must,” Candid Wuest said in a statement.