View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 6, 2021updated 07 Oct 2021 3:42pm

Twitch hacked: Is insecure legacy infrastructure to blame?

Source code from the streaming platform for gamers has apparently been leaked online. Hackers may have used vulnerabilities in legacy infrastructure to gain access.

By Claudia Glover

Twitch appears to have suffered a devastating hack, with source code for the streaming platform for gamers having apparently been dumped online. Data from 6,000 internal GitHub repositories belonging to the Amazon-owned platform has found its way into the public domain. The names of some of the repositories may indicate the hackers entered through insecure legacy software, a cybersecurity expert told Tech Monitor.

Twitch appears to have suffered a major data breach. (Photo by Hollie Adams/Bloomberg via Getty Images)

Twitch has since confirmed the leak in a blog post, also detailing the source, which it says was a server configuration change that was subsequently “accessed by a third malicious party.” This will have been due to a mistake made internally says James Chapell, founder and CIO of UK cybersecurity company Digital Shadows. “Someone made an error” he says. “They applied a configuration to this server, which then made it accessible by this malicious party.”

A torrent containing 128GB worth of data purporting to be from Twitch was posted on 4chan bulletin board, which is popular with hackers, on Wednesday. Files analysed so far have included Twitch’s source code, as well as an unreleased Steam competitor from Amazon Game Studios, codenamed Vapor (Steam is an online platform for buying and playing games), and creator payouts from 2019 to the present day. These figures appear to contain the payment details of up to 2.4m streamers. 

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Twitch hacked: how did the attackers get in?

A clue as to how the hackers managed to infiltrate the internal server in the first place may have already been unearthed. One of the 6,000 GitHub repositories that have appeared is named “”. was a video streaming platform the company brought in 2011, which has been offline since 2014. It’s server, however, appears to be a central part of the Twitch architecture despite its age, explains Chapell. “Justin TV was one of the predecessor organizations that sort of morphed into Twitch. So [the server is] quite old, it dates back to about 2007, and it’s the original server that Twitch was built on. But the files on this service seem to be relatively up to date so I think it was an active server.”

It is common for legacy software and hardware to be neglected, and it is therefore likely that this may be where the leak originated, continues Chapell: “It is not uncommon for older bits of infrastructure to be less well maintained than more recent bits of infrastructure, and that creates circumstances where mistakes such as misconfigurations can come about more regularly.”

The anonymous hacker claims to have hacked “the entirety of Twitch” including mobile, desktop and video game console Twitch clients, Twitch security operations centre internal red teaming tools and “every other property that Twitch owns”. These claims are currently unverified, as the attacker says what is online at present is just part one of the release. So far no personally identifiable information (PII) has been found in the data.

Chapell says the true extent of the breach may not be known for some time. “With a 128GB file it takes a little while to download over a torrent and this has only been going since this morning, so I doubt anybody has the full archive yet. I think analysis will be ongoing to establish exactly what the full scope of this is.”

The leak appears to be the latest in a long line of attacks on Twitch, which has been suffering so-called “hate raids,”  – bursts of bile aimed at streamers by trolls – which often target ethnic minority or LGBTQ+ streamers. After weeks of issues, Twitch users boycotted the site for a day in August, but the platform has yet to act, saying the problems are difficult to solve. The 4chan data dump refers to the Twitch community as “a disgusting toxic cesspool” and uses the hashtag #DoBetterTwitch which features heavily in the online retaliation around the raids.

This may give some insight into the motivation of the leak, says Chapell: “The motivation looks to be extortion, in the sense that this individual seems to be advocating for a decision [for Twitch to stop the hate raids] by doing something serious and threatening to do more,” he says.

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.