Twitch attributes breach to server configuration error, resets all stream keys

The company said it has learned that the breach originated from a Twitch server configuration change error that left data exposed to the internet.

Twitch has announced that it reset all stream keys as it seeks to address the massive data breach that was revealed yesterday. 

A hacker leaked the entirety of Twitch's source code alongside a 128GB trove of data that included creator payouts going back to 2019, proprietary SDKs and internal AWS services used by Twitch, as well as all of the company's internal cybersecurity red teaming tools. 

While much of the press attention initially focused on the eye-popping revenues brought in by certain Twitch streamers, concern over the privacy and security of all Twitch streamers began to grow later in the day. 

Experts warned that all Twitch streamers needed to take immediate actions to protect their bank accounts and themselves from a potential wave of attacks by opportunistic cybercriminals. 

Late on Wednesday evening, Twitch announced that it was resetting all stream keys, directing streamers to this website for new stream keys. 

"Depending on which broadcast software you use, you may need to manually update your software with this new key to start your next stream. Twitch Studio, Streamlabs, Xbox, PlayStation, and Twitch Mobile App users should not need to take any action for your new key to work," Twitch explained. 

"OBS users who have connected their Twitch account should also not need to take any action. OBS users that have not connected their Twitch account to OBS will need to manually copy their stream key from their Twitch Dashboard and paste it into OBS. For all others, please refer to specific setup instructions for your software of choice."

Twitch emailed the statement to all streamers, according to multiple experts

In an earlier statement, the company said it learned that the breach originated from a Twitch server configuration change error that left data exposed to the internet. 

Twitch added that it was still trying to understand the scope of the breach as it continues to investigate the incident. 

"We understand that this situation raises concerns, and we want to address some of those here while our investigation continues. At this time, we have no indication that login credentials have been exposed. We are continuing to investigate. Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed," Twitch claimed. 

But experts have laid out a litany of problems facing those connected to the gaming platform, which has an average of 15 million daily users and more than 2 million Twitch creators broadcasting monthly.

Quentin Rhoads-Herrera, a director at CRITICALSTART, told ZDNet that Malware authors could potentially use Twitch's code being released to infect the user base of Twitch by possibly finding flaws in the applications code. 

"Now that the data has been released, there isn't much Twitch can do. They should try and prevent it from being put up on platforms like GitHub, BitBucket, or other popular code/file-sharing platforms. Still, the data is already out and will be shared forever through many different channels," Rhoads-Herrera said. 

"What they can do is evaluate exactly what was stolen, reset user passwords that were compromised, and determine the risk to their IP (especially from what was stolen of Vapor which is supposedly going to compete with Steam) and how it will impact their business overall. The largest risk to Amazon's Twitch is the data that is now freely available to their competitors. As a result of this event, Twitch might lose some user following and trust they may have had in their users. The biggest impact is the leaked data that is unique to their intellectual property that could be leveraged by competitors."

The hacker behind the attack said that what was released yesterday was only the first section of the stolen data.