Twitch Leak Included Emails, Password: Researcher

A researcher combed through the Twitch leak and found what they said was evidence of PayPal chargebacks with names and emails, employees’ emails, and more.

Twitch users, if you haven’t changed your password yet, go. Now. Do it.

101321 08:45 UPDATE: Your email and password may already have been leaked – unhashed and unencrypted, though it’s not known if the one Twitch set of Twitch credentials are from an internally or externally facing database.

Researchers have been squeezing the live-streaming service’s innards after 135 gigabytes of its internal data were smeared all over 4chan by an anonymous poster on Tuesday.

Infosec Insiders Newsletter

It’s a horrific leak that included the Amazon-owned service’s source code, comments dating back to the dawn of Twitch time, security tools, an unreleased Amazon Game Studios competitor to Steam (codenamed Vapor), a list of of the highest-paid channels plus how much they were paid (FYI: A channel operated by voice actors took the top spot, making about $10 million in two years), and more.

Emails, Passwords in Plaintext

Since Tuesday, the “and more” has been unpacked to reveal what many experts predicted: Namely, this wasn’t just a direct attack on Twitch, in spite of the attacker calling the service a “disgusting toxic cesspool.”

Rather, it was also an attack on Twitch users, whose personal information was breached.

An independent security researcher who requested anonymity found the following email address and password in plain text in one exposed datastore. The researcher shared the following Twitch screenshot with PrivacySharks, which subsequently shared it with Threatpost.

Emails and passwords in clear text. Source: PrivacySharks.

When Threatpost contacted Twitch, a representative sent this statement: “At this time, we have no indication that login credentials have been exposed. We are continuing to investigate. Additionally, full credit-card numbers are not stored by Twitch, so full credit-card numbers were not exposed.”

It Was a Misconfigured Switch

On Wednesday, Twitch disclosed that “some data” was exposed to the internet due to “an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.” It said that its teams were urgently investigating, but that it hadn’t found any evidence that login credentials had been exposed.

“We are continuing to investigate,” Twitch said.

On Thursday, the service reset all keys “​​out of an abundance of caution” and directed streamers to get new keys here.

PayPal Chargebacks, Scraping Competitors’ Sites, Employee Data

In spite of Twitch’s failure to find any evidence of exposed user data, the independent researcher shared with PrivacySharks other datastores containing personal data, including a PayPal file containing details on more than 1,000 chargebacks made from Twitch to various platforms.

The records include full names, email addresses, buyer comments and amounts. The redacted screenshot below is an example of what the file contained:

PayPal chargebacks made from Twitch to various platforms, including name, email, buyer comments and amount. Source: PrivacySharks.

The anonymous leaker called Tuesday’s 135 gigabytes data dump “part one” of the leak, but they didn’t say what else might be coming or when.

But so far, as the researcher told PrivacySharks, the leak has also included back-end employees’ names, email addresses and positions.

The researcher also discovered evidence that Twitch has allegedly been scraping competitors’ services for live channels and view counts. They shared this screen capture:

Twitch Allegedly Has Anti-View-Botting Tech Up Its Sleeve

Finally, the researcher also found screenshots that indicate that Twitch is allegedly ramping up its technology to detect and prevent view-botting on the platform. View-botting is when streamers artificially inflate their concurrent-view count by using “illegitimate scripts or tools,” according to Twitch.

Bots aren’t all bad. Good bots help keep weather, sports and other news updated in real-time, and they can help find the best price on a product or track down stolen content. Bad bots, however, can dish out malware and can be used for hacking, spamming, spying, spreading fake news and compromising websites of all sizes, as Kaspersky has explained.

When it comes to a service like Twitch, streamers use view-fraud bots “to boost their streams and get on the virtual leaderboard where they hope to attract legitimate followers and views,” according to Fraud Blocker. That’s similar to how other platforms work, by promoting popular channels more than new and unpopular channels.

Twitch is apparently, allegedly working on technology to kill those view-bots. The researcher who was looking over Twitch’s doxxed data claimed that Twitch uses what PrivacySharks described as “detection tactics involving broadcast statistics to see whether or not streamers are using view-bots.”

In a Thursday blog post, PrivacySharks shared a screenshot that shared what allegedly look like Twitch’s botting-battle plans: “This will compute partnerships-relevant information for each broadcast for which edge playlist requests were made (in other words, a broadcast that someone, somewhere cared about), including basic broadcast summary statistics, whether the broadcast was botted, roughly how many of the views were real, how concurrents numbers change if we factor out the botted views, and some information on chat activity. ”

Why Does View-Botting Matter?

Twitch’s embrace of anti-view-bot technology shouldn’t surprise anyone: In April, Twitch announced that it was cracking down on the bots, leading many Twitch streamers to hemorrhage followers.

As PrivacySharks’s Madeleine Hodson explained in Thursday’s blog post, amassing a large following is crucial to getting popular on Twitch, and when she says “crucial,” she’s talking dollar signs.

“Not only does this increase earnings on the platform from subscriptions and donations, but it can result in lucrative partnerships with third-party companies,” she wrote. “However, if companies are advertising products with Twitch creators that are streaming to a mostly fake audience, a lot of money is being spent to no avail.”

A Pound of Source-Code Flesh

But while view-bots matter to streamers and advertisers in the Twitch ecosystem, the source-code leak is what makes cybersecurity professionals perk up their ears.

Jon Murchison, CEO of Blackpoint Cyber, told Threatpost that from an information security standpoint, “Source code and software development kits are the crown jewels that you want to protect at all cost.”

He and others predicted that the leak could result in adversaries uncovering critical vulnerabilities that could be weaponized for future use. “While details are still scarce, this highlights the difficulty with securing distributed cloud and on-prem infrastructure,” Murchison commented.

June Werner, cyber-range engineer at Infosec Institute, agreed that the source-code leak “may make it easier for malicious actors to find exploits on Twitch’s platform in the future.”

To reiterate, Twitch hasn’t acknowledged the leak of personal data. But given the findings of PrivacySharks’ researcher contact, and just to stay on the safe side, Werner suggested that to protect themselves, Twitch users should enable two-factor authentication (2FA) and ensure that they’re not using their old Twitch password for any other accounts.

101321 08:51 UPDATE: Corrected first reference to credentials in clear text: PrivacySharks clarified that the researcher found one set of credentials and that it’s unknown whether the source is an external or internal database.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles


  • Gabriel on

    You're saying one thing but showing something else. The screenshot of a password in cleartext shows a single account being used to connect to a database, most likely a service account with a non-expiring password. (Otherwise that function breaks every time that account changes its password.) But the wording on this article makes it sound like streamers (all of them?) had their credentials exposed. It says someone "found streamers’ email addresses and passwords in plain text in one exposed datastore." Did the wrong screenshot get uploaded? In any case, if you have a Twitch account, reset the password.
  • Elind on

    There is something wrong in the article title and in what is shared here. The researcher forgot to mention that the code lines shared are basically just an admin password, and in no way a twitch user password in clear text. Without willing to sound condescending, I still have to say this: Anyone who would have ever worked seriously as internet developer at least "two days" in his/her life (and sorry for the factual information here), would notice this information does not entail user passwords (from twitch users) shared in clear text. The reasoning behind this is that it's an admin password shared in clear text. This is actually the usual way a sql connection is made; it usually is with an admin password in clear text. That access is not an information on a twitch user but leads to a database which certainly has a collection of data, such as emails and ENCRYPTED passwords. I used the uppercase because this is what is important here. The fact that a researcher believes it's a twitch user password (and even more, a collection of twitch user passwords in clear text) shows that he/she actually did not know what he/she was talking about here, or alternatively, that the information the researcher provided was actually accurate and commented differently, but then was misused or misunderstood. This needs fixing please. Uness I am mistaken, but given the screenshot (and thank you for sharing it, it helps in finding the truth here) I doubt it. Interpreting this line of code differently than what it is invites a huge misunderstanding. So to be clear: AFAIK the leak shows access to the SQL database meaning they got a number of interesting data, which should include emails and as usual in databases what is likely to be encrypted passwords. There is no reason yet to anticipate there could be passwords in clear text. However, if it's the entire twitch source code there could be reasons to anticipate the salting method is exposed in source code, meaning some specific individual passwords "could be" recovered as encrypted from database, and then "possibly cracked" with a lot of intent, but even this sounds unlikely. In addition, Twitch should mention that hackers had access to database with such information (emails, activity and encrypted passwords, etc) or alternatively, expose what this database was which was breached (as it could be a database subset with only other information, but I highly doubt it). TLDR again, the information that "user passwords were shared in clear text" seems absolutely wrong here and needs to be corrected. Thanks.
    • Lisa Vaas on

      Thanks very much for your feedback: I'm checking now with the sources to figure out if I used the wrong screen capture or, if not, to get them to respond to the many comments we're getting along the same lines as yours.
  • stefafafan on

    The first caption saying "Emails and passwords in clear text. Source: PrivacySharks." looks incorrect. That image only shows connection information to a database (probably Amazon Redshift), and not the credentials of an individual user. Of course, if anyone is able to connect to that database, that will be a problem, but the screenshot does not tell us passwords are saved in clear text.
  • george on

    the screenshot of "emails and passwords in cleartext", is code of a database connection and likely not end user pwds.
  • AE on

    If the pictured credentials are what the finder thought were leaked user details, they're thankfully mistaken! It's 'just' a connection string (the credentials an application will use to log into a database server).
  • Anonymous on

    This is extremely misleading. There are no user login credentials in plain text. The one they found was for a database that likely cannot be accessed from the public internet.

Leave A Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.