It looks like popular gaming-focused streaming platform Twitch.tv has some troubling days, months, or maybe even years ahead of it. According to Video Games Chronicle, the entirety of the website’s code and internal documents have been leaked online on 4chan as part of a 125GB torrent dump on Wednesday. It’s still unclear if user data is also affected, but given the extent of the leak, we wouldn’t be surprised.

What happened?

In the early hours of October 6, an anonymous user posted a torrent containing almost all of Twitch’s code and secrets to 4chan. Twitch has acknolwedged that a breach occurred, but isn't saying much about its content.

The leaked data is said to include all of Twitch’s source code, including comment history going back to early beginnings; creator payout reports from 2019; source code for mobile, desktop, and console clients; internal and proprietary tools from Amazon services; and Twitch’s internal “red teaming” tool which it uses for improving security by letting employees pose as hackers.

According to Twitter user @Sinoc229, the leak also contains encrypted passwords, so it’s highly encouraged to change your login credentials if you have an account. Once it’s confirmed that this encryption can be broken and login details are publicly available, they will likely be added to Have I Been Pwned’s library and warn those who use the service to monitor password breaches.

Most interestingly, the leak also shows that Twitch has a yet-unknown Steam competitor in the works it currently calls “Vapor.” It’s supposed to come with a chat client called “Vaporworld” and integrate seamlessly with Twitch’s streaming capabilities. Vaperworld apparently has some kind of VR capabilities built-in, with 3D emotes and maps available in the assets and Unity plugins in place for developers.

What to do?

To be sure you’re secure if you have a Twitch account, change your password. You can do this under Settings -> Security & Privacy when clicking your profile image. While you’re there, you should also turn on 2-factor authentication as an additional security measure, which will require you to input a regenerating code in addition to your password when you log in. You can activate it by selecting the Edit Two-Factor Authentication option (see Twitch's help page for more details). Since SMS is too insecure to be considered a safe second factor, you should get a separate authenticator app for your phone to use the feature, like Authy or any other recommended 2FA app.

If you use your Twitch password for any other services, be sure to change it for these accounts, too. This is why you should always create unique passwords. A password manager will make this easier, and these days, autofill is available on almost any browser or OS you could think of, so it's pretty easy to use.

We're still learning what's contained in the 125GB leak. At the moment, the implications are still up in the air, but it sure seems like it's huge. The leak could be a devastating blow to the company, as its competition now has the chance to dissect the business's secrets, not to mention the privacy-breaching creator payouts now publicly available, which we've intentionally not posted in this article.

Alternate Title: Twitch.tv was just (involuntarily) open-sourced