Two days after an unnamed hacker leaked a trove Twitch data including the streaming platform’s source code and information about payments to streamers, users are still seeking answers. Instead, they’re getting trolled.
Users complained Friday that the header image for a game listings section on the Twitch website was replaced by a close-up of Jeff Bezos, founder of Amazon, which owns Twitch, as The Verge first reported. The image also seems to appear alongside the data leaked on the message board 4Chan, a notorious forum where hackers, trolls and other anonymous internet users congregate.
While the image of Bezos disappeared from Twitch within a few hours, the website defacement is a signal that Twitch’s security issues are not over, days after a major data breach.
The Amazon-owned company confirmed Wednesday that an unknown party had accessed Twitch’s source code as a result of a “misconfigured server.” Caught up in the trove of information on Twitch’s inner workings were substantial details on streamers’ payments going back three years.
In the 48 hours since the breach, streamers have expressed concerns their personal earnings would be used to harass them, while many users have threatened to leave for other platforms. Others have expressed confusion about repeated instructions to reset their security keys and other potentially related disruptions to the site’s services. The company’s Twitch Support account on Twitter hasn’t publicly replied to users since October 5.
The data was labeled “part 1,” though it’s unclear if more data exists or will be leaked. There has been no indication that the data has been used to financially extort Twitch or its users.
The breach comes as Twitch has struggled clamp down on so-called hate raids, in which one user direct a flood bots to a specific streamer account, overwhelming their page with hateful messages. The issue has become pervasive enough that the campaigns #DoBetterTwitch and #ADayOffTwitch have trended on Twitter in recent weeks. The 4Chan user alluded to the controversy in a post announcing the data leak.
“Their community is also a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them,” the hacker said of their motivations in the 4Chan post. The post also referred to the hashtag #DoBetterTwitch.
There is no evidence that login credentials have been exposed, the company wrote in a blog post. Twitch does not store full credit card numbers, according to the statement.
Still, the company’s source code is valuable enough that security experts say the streaming giant is far from in the clear yet.
“The leakage of source code and information about the company’s infrastructure makes it easier to find other vulnerabilities and implement attacks that can be carried out by more experienced attackers,” Kaspersky security expert Sergey Shcherbel wrote in an email.
The incident has pointed to deeper concerns about the security culture at Twitch.
A former Twitch employee told The Verge that Twitch has failed to report security issues in the past, including a 2017 incident that could allegedly still serve as a way for hackers to attack players. “Scammers were allegedly able to contact streamers requesting revenue sharing from Twitch Prime subscriptions, and the source claims it led to Twitch accounts being connected to compromised Amazon accounts,” The Verge reported.
In 2015 the Amazon-owned company had to reset some accounts due to possible “unauthorized access.”
Twitch declined to comment on the alleged 2017 incident and referred CyberScoop back to a statement made Thursday about the most recent hack.