Twitch Leak Included Emails, Password: Researcher

A researcher combed through the Twitch leak and found what they said was evidence of PayPal chargebacks with names and emails, employees’ emails, and more.

Twitch users, if you haven’t changed your password yet, go. Now. Do it.

101321 08:45 UPDATE: Your email and password may already have been leaked – unhashed and unencrypted, though it’s not known if the one Twitch set of Twitch credentials are from an internally or externally facing database.

Researchers have been squeezing the live-streaming service’s innards after 135 gigabytes of its internal data were smeared all over 4chan by an anonymous poster on Tuesday.

Infosec Insiders Newsletter

It’s a horrific leak that included the Amazon-owned service’s source code, comments dating back to the dawn of Twitch time, security tools, an unreleased Amazon Game Studios competitor to Steam (codenamed Vapor), a list of of the highest-paid channels plus how much they were paid (FYI: A channel operated by voice actors took the top spot, making about $10 million in two years), and more.

Emails, Passwords in Plaintext

Since Tuesday, the “and more” has been unpacked to reveal what many experts predicted: Namely, this wasn’t just a direct attack on Twitch, in spite of the attacker calling the service a “disgusting toxic cesspool.”

Rather, it was also an attack on Twitch users, whose personal information was breached.

An independent security researcher who requested anonymity found the following email address and password in plain text in one exposed datastore. The researcher shared the following Twitch screenshot with PrivacySharks, which subsequently shared it with Threatpost.

Emails and passwords in clear text. Source: PrivacySharks.

When Threatpost contacted Twitch, a representative sent this statement: “At this time, we have no indication that login credentials have been exposed. We are continuing to investigate. Additionally, full credit-card numbers are not stored by Twitch, so full credit-card numbers were not exposed.”

It Was a Misconfigured Switch

On Wednesday, Twitch disclosed that “some data” was exposed to the internet due to “an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.” It said that its teams were urgently investigating, but that it hadn’t found any evidence that login credentials had been exposed.

“We are continuing to investigate,” Twitch said.

On Thursday, the service reset all keys “​​out of an abundance of caution” and directed streamers to get new keys here.

PayPal Chargebacks, Scraping Competitors’ Sites, Employee Data

In spite of Twitch’s failure to find any evidence of exposed user data, the independent researcher shared with PrivacySharks other datastores containing personal data, including a PayPal file containing details on more than 1,000 chargebacks made from Twitch to various platforms.

The records include full names, email addresses, buyer comments and amounts. The redacted screenshot below is an example of what the file contained:

PayPal chargebacks made from Twitch to various platforms, including name, email, buyer comments and amount. Source: PrivacySharks.

The anonymous leaker called Tuesday’s 135 gigabytes data dump “part one” of the leak, but they didn’t say what else might be coming or when.

But so far, as the researcher told PrivacySharks, the leak has also included back-end employees’ names, email addresses and positions.

The researcher also discovered evidence that Twitch has allegedly been scraping competitors’ services for live channels and view counts. They shared this screen capture:

Twitch Allegedly Has Anti-View-Botting Tech Up Its Sleeve

Finally, the researcher also found screenshots that indicate that Twitch is allegedly ramping up its technology to detect and prevent view-botting on the platform. View-botting is when streamers artificially inflate their concurrent-view count by using “illegitimate scripts or tools,” according to Twitch.

Bots aren’t all bad. Good bots help keep weather, sports and other news updated in real-time, and they can help find the best price on a product or track down stolen content. Bad bots, however, can dish out malware and can be used for hacking, spamming, spying, spreading fake news and compromising websites of all sizes, as Kaspersky has explained.

When it comes to a service like Twitch, streamers use view-fraud bots “to boost their streams and get on the virtual leaderboard where they hope to attract legitimate followers and views,” according to Fraud Blocker. That’s similar to how other platforms work, by promoting popular channels more than new and unpopular channels.

Twitch is apparently, allegedly working on technology to kill those view-bots. The researcher who was looking over Twitch’s doxxed data claimed that Twitch uses what PrivacySharks described as “detection tactics involving broadcast statistics to see whether or not streamers are using view-bots.”

In a Thursday blog post, PrivacySharks shared a screenshot that shared what allegedly look like Twitch’s botting-battle plans: “This will compute partnerships-relevant information for each broadcast for which edge playlist requests were made (in other words, a broadcast that someone, somewhere cared about), including basic broadcast summary statistics, whether the broadcast was botted, roughly how many of the views were real, how concurrents numbers change if we factor out the botted views, and some information on chat activity. ”

Why Does View-Botting Matter?

Twitch’s embrace of anti-view-bot technology shouldn’t surprise anyone: In April, Twitch announced that it was cracking down on the bots, leading many Twitch streamers to hemorrhage followers.

As PrivacySharks’s Madeleine Hodson explained in Thursday’s blog post, amassing a large following is crucial to getting popular on Twitch, and when she says “crucial,” she’s talking dollar signs.

“Not only does this increase earnings on the platform from subscriptions and donations, but it can result in lucrative partnerships with third-party companies,” she wrote. “However, if companies are advertising products with Twitch creators that are streaming to a mostly fake audience, a lot of money is being spent to no avail.”

A Pound of Source-Code Flesh

But while view-bots matter to streamers and advertisers in the Twitch ecosystem, the source-code leak is what makes cybersecurity professionals perk up their ears.

Jon Murchison, CEO of Blackpoint Cyber, told Threatpost that from an information security standpoint, “Source code and software development kits are the crown jewels that you want to protect at all cost.”

He and others predicted that the leak could result in adversaries uncovering critical vulnerabilities that could be weaponized for future use. “While details are still scarce, this highlights the difficulty with securing distributed cloud and on-prem infrastructure,” Murchison commented.

June Werner, cyber-range engineer at Infosec Institute, agreed that the source-code leak “may make it easier for malicious actors to find exploits on Twitch’s platform in the future.”

To reiterate, Twitch hasn’t acknowledged the leak of personal data. But given the findings of PrivacySharks’ researcher contact, and just to stay on the safe side, Werner suggested that to protect themselves, Twitch users should enable two-factor authentication (2FA) and ensure that they’re not using their old Twitch password for any other accounts.

101321 08:51 UPDATE: Corrected first reference to credentials in clear text: PrivacySharks clarified that the researcher found one set of credentials and that it’s unknown whether the source is an external or internal database.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles


  • Gabriel on

    You're saying one thing but showing something else. The screenshot of a password in cleartext shows a single account being used to connect to a database, most likely a service account with a non-expiring password. (Otherwise that function breaks every time that account changes its password.) But the wording on this article makes it sound like streamers (all of them?) had their credentials exposed. It says someone "found streamers’ email addresses and passwords in plain text in one exposed datastore." Did the wrong screenshot get uploaded? In any case, if you have a Twitch account, reset the password.
  • Elind on

    There is something wrong in the article title and in what is shared here. The researcher forgot to mention that the code lines shared are basically just an admin password, and in no way a twitch user password in clear text. Without willing to sound condescending, I still have to say this: Anyone who would have ever worked seriously as internet developer at least "two days" in his/her life (and sorry for the factual information here), would notice this information does not entail user passwords (from twitch users) shared in clear text. The reasoning behind this is that it's an admin password shared in clear text. This is actually the usual way a sql connection is made; it usually is with an admin password in clear text. That access is not an information on a twitch user but leads to a database which certainly has a collection of data, such as emails and ENCRYPTED passwords. I used the uppercase because this is what is important here. The fact that a researcher believes it's a twitch user password (and even more, a collection of twitch user passwords in clear text) shows that he/she actually did not know what he/she was talking about here, or alternatively, that the information the researcher provided was actually accurate and commented differently, but then was misused or misunderstood. This needs fixing please. Uness I am mistaken, but given the screenshot (and thank you for sharing it, it helps in finding the truth here) I doubt it. Interpreting this line of code differently than what it is invites a huge misunderstanding. So to be clear: AFAIK the leak shows access to the SQL database meaning they got a number of interesting data, which should include emails and as usual in databases what is likely to be encrypted passwords. There is no reason yet to anticipate there could be passwords in clear text. However, if it's the entire twitch source code there could be reasons to anticipate the salting method is exposed in source code, meaning some specific individual passwords "could be" recovered as encrypted from database, and then "possibly cracked" with a lot of intent, but even this sounds unlikely. In addition, Twitch should mention that hackers had access to database with such information (emails, activity and encrypted passwords, etc) or alternatively, expose what this database was which was breached (as it could be a database subset with only other information, but I highly doubt it). TLDR again, the information that "user passwords were shared in clear text" seems absolutely wrong here and needs to be corrected. Thanks.
    • Lisa Vaas on

      Thanks very much for your feedback: I'm checking now with the sources to figure out if I used the wrong screen capture or, if not, to get them to respond to the many comments we're getting along the same lines as yours.
  • stefafafan on

    The first caption saying "Emails and passwords in clear text. Source: PrivacySharks." looks incorrect. That image only shows connection information to a database (probably Amazon Redshift), and not the credentials of an individual user. Of course, if anyone is able to connect to that database, that will be a problem, but the screenshot does not tell us passwords are saved in clear text.
  • george on

    the screenshot of "emails and passwords in cleartext", is code of a database connection and likely not end user pwds.
  • AE on

    If the pictured credentials are what the finder thought were leaked user details, they're thankfully mistaken! It's 'just' a connection string (the credentials an application will use to log into a database server).
  • Anonymous on

    This is extremely misleading. There are no user login credentials in plain text. The one they found was for a database that likely cannot be accessed from the public internet.
  • Thomas on

    I appreciate the kind hearts and I love you all. Don't get any of this wrong. Love has to include blatant honesty. This entire thing is so stupid. The incompetence is so grotesque it makes me furious and extremely flabbergasted. I truly mean no offense, but it's really so imbecile, and I'm just going to be honest here, I have to. The fact that PrivacySharks and threatpost are so clueless about the field they pretend to be knowledgeable in, is incredibly disgraceful and insulting to anyone having the slightest clue. I'm going to ignore the primary idiocy of announcing the database connection password (which has to be cleartext), even beyond remotely resembling cleartext user passwords, to mention a few other points. "Bots aren’t all bad. Good bots help keep weather, sports and other news updated in real-time, and they can help find the best price on a product or track down stolen content..." those aren't bots... Those are just regular programs... In reality, all bots are also just that, programs, so they're a little hard to define, but some things that all bots have in common, is that they more or less pretend to be a person, usually displaying personality, and usually performing tasks that humans could perform; they do human-level stuff; they work with, among and along the humans. "view-fraud bot" view botting isn't fraud, it's simply legal cheating, though it does resemble fraud somewhat; at least, fraud is not commonly associated; fraud is a strong word, and implies illegal and criminal activity, which view-botting is not. "135 gigabytes" it was 125. Most other sources say 128, but this is the first time I'm hearing 135. Don't mind the cherry picking, but lets just get all the facts right. "Twitch’s doxxed data" doxing is the act of tracking down the name, address, and/or other personally identifiable information (documents/dox) of some individual and releasing it. It can't be used like this. This is just a leak. Don't be discouraged to continue what you do, but please, be vary of your occasional cluelessness and lack of expertise; research the terminology you use, don't simply assume it. Let these words encourage improvement. Again, I might come off rude, but that's really not my intention; I'm merely being very blunt and realistic, and doing so for the love of truth and knowledge, and anybody who wants to spread it, which includes you guys.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.