Anatomy of a Breach

Anatomy of a Breach: Twitch — The Entire Source Code, Streamer Earnings, and Internal Tools Leaked in a 128GB Torrent

> series: anatomy_of_a_breach —— part: 154 —— target: twitch —— data: 128GB —— contents: source_code_earnings_internal_tools<span class="cursor-blink">_</span>_

Hedgehog Security 31 October 2021 12 min read
data-breach twitch source-code streamer-earnings amazon 128gb misconfiguration series
Breach #154

128GB. The entire source code. Streamer earnings. Internal tools. Posted on 4chan.

On 6 October 2021, an anonymous user posted a 128GB torrent to 4chan containing what appeared to be the entirety of Twitch's internal code and data. The leak included Twitch's complete source code repository (with commit history), internal tools and services, an unreleased Amazon Game Studios project codenamed 'Vapor' (a Steam competitor), proprietary SDKs, and — the detail that generated the most public attention — the complete payout data for Twitch's top streamers, revealing that the platform's highest earners received millions of dollars annually.

Twitch confirmed the breach and attributed it to a server misconfiguration that allowed unauthorised access to its internal systems. The company stated that user passwords were not exposed (they were hashed with bcrypt) and that full credit card numbers were not stored on Twitch's systems. However, the exposure of the entire source code — including security-related code — enabled attackers to identify vulnerabilities in Twitch's codebase. Twitch reset all stream keys as a precautionary measure. The leak was labelled 'part one' by the leaker, though no subsequent parts were published.

Source Code Exposure
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

When your entire codebase is public, every vulnerability is findable.

Source Code Enables Vulnerability Discovery
With Twitch's entire source code public, anyone can audit it for vulnerabilities — and not all auditors are well-intentioned. The exposure of source code dramatically reduces the effort required to find exploitable vulnerabilities. This parallels the <a href="/blog/anatomy-of-a-breach-adobe">Adobe source code theft</a> (2013) and the <a href="/blog/anatomy-of-a-breach-hacking-team">Hacking Team leak</a> (2015). Our <a href="/penetration-testing/web-application">application testing</a> identifies vulnerabilities that source code exposure would reveal.
Streamer Earnings Exposed
The publication of individual streamer earnings — revealing that top creators earned $1M-$10M annually — caused significant personal and professional disruption for affected streamers. Financial data, even when it reveals earnings rather than debts, can create safety risks including targeted extortion and social engineering.
Server Misconfiguration
Twitch attributed the breach to a server misconfiguration — the same root cause behind the <a href="/blog/anatomy-of-a-breach-microsoft-250m">Microsoft 250M exposure</a> (2020), <a href="/blog/anatomy-of-a-breach-ecuador">Ecuador</a> (2019), and the <a href="/blog/anatomy-of-a-breach-mongodb-ransomware">MongoDB wave</a> (2017). Configuration is security. Our <a href="/penetration-testing/cloud-configuration-review">cloud configuration reviews</a> identify misconfigurations before attackers find them.
bcrypt Saved the Passwords
Twitch's use of bcrypt for password hashing meant that user passwords were not directly compromised — a security success that limited the breach's impact on end users. Proper password hashing saves users even when everything else fails. Our <a href="/penetration-testing/web-application">application testing</a> verifies password storage implementation.
Lessons

Configuration is security. Source code is a crown jewel. Protect both.

The Twitch breach reinforced two fundamental principles: first, server and cloud misconfigurations continue to be the most common root cause of major data exposures — from MongoDB (2017) through Microsoft (2020) to Twitch (2021). Second, source code is a crown-jewel asset whose exposure enables further attacks. Both require continuous verification through testing.

Cloud configuration reviews identify misconfigurations. Application testing identifies the vulnerabilities that source code exposure would reveal. Cyber Essentials mandates secure configuration. SOC in a Box monitors for data exfiltration and configuration changes. And UK Cyber Defence provides incident response when source code or sensitive internal data is exposed.

Protect Your Crown Jewels

Twitch's entire source code leaked through a misconfiguration. Are your crown jewels protected?

<a href="/penetration-testing/cloud-configuration-review">Cloud reviews</a> find misconfigurations. <a href="/penetration-testing/web-application">Application testing</a> identifies vulnerabilities. <a href="/cyber-essentials">Cyber Essentials</a> mandates secure configuration.

Commission a Security Assessment Next: GoDaddy
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 September 2013

Anatomy of a Breach: Adobe — 153 Million Accounts and the Largest Data Breach in History

Breach #057. In October 2013, Adobe disclosed that attackers had compromised approximately 2.9 million customer accounts. Within weeks, security researcher Brian Krebs revealed the true scale: 153 million accounts — making it the largest data breach ever reported at the time. The passwords were stored using 3DES encryption (not hashing) in ECB mode, which allowed researchers to crack millions of passwords through pattern analysis. Adobe also lost source code for Acrobat, ColdFusion, and other products.

data-breach adobe
14 min read
Anatomy of a Breach 30 April 2024

Anatomy of a Breach: AT&T — 73 Million Customer Records from a 2019 Breach Surface on the Dark Web

Breach #184. In March 2024, AT&T confirmed that a dataset containing the personal information of approximately 73 million current and former customers had been published on the dark web. The data — including names, addresses, phone numbers, dates of birth, Social Security numbers, and encrypted AT&T account passcodes (which security researchers quickly cracked) — appeared to originate from a breach dating to approximately 2019. AT&T had previously denied the data was from its systems. The breach demonstrated that stolen data surfaces years later, and that denial does not make a breach disappear.

data-breach att
12 min read
Anatomy of a Breach 30 April 2023

Anatomy of a Breach: Western Digital — My Cloud Offline for Two Weeks and 10TB of Internal Data Stolen

Breach #172. In April 2023, Western Digital — one of the world's largest data storage companies — disclosed that attackers had breached its network and stolen approximately 10 terabytes of internal data. The breach forced Western Digital to take its My Cloud consumer cloud storage service offline for approximately two weeks, locking millions of users out of their personal data. The attackers — a group calling themselves ALPHV/BlackCat — published screenshots of internal emails, videoconference screenshots, and evidence of access to Western Digital's SAP backend and internal tools. A company whose entire business is storing and protecting data could not protect its own.

data-breach western-digital
12 min read
All Posts Get in Touch