Twitch has just issued an update, following on from yesterday’s major attack on the service which resulted in the theft and then public posting of, among other things, the platform’s source code. According to their ongoing investigation, “a malicious third party” is responsible.
Described by those responsible as “part one” of “an extremely poggers leak,” the data released yesterday included the source code for Twitch’s website and services, its client apps for various consoles, revenue figures for its most prominent streamers, its Amazon cloud-based services, various proprietary SDKs, other services Twitch owns, tools used by its security operations center, and even for an “unreleased Steam competitor from Amazon Game Studios.”
The short statement, issued this evening, says in an enormous understatement that, “some data was exposed to the internet,” originating from, “an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.” Twitch also reiterates they have, “no indication that login credentials have been exposed,” and that, “full credit card numbers were not exposed.”
The full statement, published on Twitch’s website under a headline calling this a “Twitch Security Incident”, reads:
We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party. Our teams are working with urgency to investigate the incident.
As the investigation is ongoing, we are still in the process of understanding the impact in detail. We understand that this situation raises concerns, and we want to address some of those here while our investigation continues.
At this time, we have no indication that login credentials have been exposed. We are continuing to investigate.
Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed.
It’s worth remembering that while user information may not have been included in the currently leaked data, it was described as “part one,” and more may well follow. Everyone should change their Twitch password immediately.