Twitch Leak Included Emails, Passwords, According to Independent Researcher
It’s kind of terrifying to think about how modern services tend to integrate themselves across your various presences online. Whenever users sign up for a new service, they will typically be asked if they want to connect an account from another service in order to help the user find already existing friends on the platform, or push updates from one platform onto the other. The inter-connectivity of services can make info leaks from even one platform nerve-wracking, as login information on one platform could possibly lead to more private information being accessed due to services and applications being connected to one another. When Twitch saw a massive info leak earlier this month, the concern over the release of personal information, such as emails and passwords, was assuaged by Twitch. Now, it seems that Twitch users should indeed be worried that emails, passwords, and other pieces of personal information can be exploited by malicious actors, as new information has surfaced regarding the October Twitch leak.
Update 10/15: Twitch has now issued a new statement claiming that no passwords have been exposed. You can view the full statement here.
New Details Regarding the Twitch Leak
According to a cybersecurity news site, the Twitch leak actually contained exploitable information that would allow malicious actors to access a user’s emails and passwords. Twitch’s initial statement regarding the leak assured users that their personal information had not been compromised. However, that seems to not be the case thanks to the work of an independent researcher. Apparently, a PayPal file that leaked in the initial 135 gigabyte file contained details on more than a thousand charge-back requests made from Twitch to various platforms. The information contained in the PayPal file included records of users’ full names, emails, passwords, and the amount of money users were charging back through Twitch.
The charge-back information was not the only source of emails and passwords released during the Twitch leak last week, as employee information was released revealing the names, emails, and roles of Twitch back-end employees. In malicious hands, this information could lead to targeted harassment for those looking to disrupt Twitch’s back-end operations.
As if this wasn’t enough, the independent research discovered that Twitch had engaged in industry surveillance where they had scraped data from competing services for live channel and view count information. The information included in this part of the leak included data on defunct services such as Hitbox and Periscope.
What’s more alarming however is the release of Twitch’s source code, which would allow hackers and malicious actors to research vulnerabilities in Twitch’s platform and create exploits for them, meaning that there’s still the possibility that Twitch could see future attacks and leaks if they can’t get ahead of the leaker or individuals working to undermine their business.
As of the writing of this article, Twitch has yet to make a statement regarding charge-back information and the leak of their source code.