Twitch source-code and creator-payout leak

On 6 October 2021, an anonymous user posted a 125 GB torrent to the 4chan message board, labelling it "part one" of a leak from Twitch, the Amazon-owned live-streaming platform. The dump contained the entirety of Twitch's source code, internal developer tooling, and — most damagingly for the company's relationships with its biggest stars — three years of creator payout figures. The leaker stated the goal was to "foster more disruption and competition in the online video streaming space," and tagged the post with a slur describing the Twitch community as a "disgusting toxic cesspool."

What happened

The breach did not involve malware, ransomware, or an exploited software vulnerability. Twitch attributed it to a server configuration change that "was subsequently accessed by a malicious third party." In effect, a change to a server's settings inadvertently exposed an internal Git repository to the public internet, and the attacker simply cloned it.

Because the attacker had pulled the Git repository wholesale, the leak included the full commit history of Twitch's codebase "going back to its early beginnings."

What was leaked

The 125 GB archive included:

• The complete source code for Twitch's website, mobile, desktop, and console clients, with full commit history.
• Proprietary SDKs and internal AWS services Twitch relied on.
• The source for Twitch-owned properties IGDB and CurseForge.
• Creator payout reports spanning 2019, 2020, and the first three quarters of 2021 — exposing exactly how much Twitch paid each of its top streamers. The data revealed that more than 13 accounts had earned over $108,000 annually since 2019, with top earners pulling in millions.
• "Vapor," an unreleased Amazon Game Studios project described as a Steam competitor.
• Twitch's internal red-teaming and security tooling — the very tools its security team used to test its own defences.

What was not leaked

Twitch's investigation determined that the breach did not expose login credentials or full credit-card numbers. User passwords are hashed (bcrypt), and the systems storing password data were not among those compromised. As a precaution, Twitch reset all stream keys and urged users to enable two-factor authentication.

Impact

The financial figures were the most viral element of the leak, recalibrating public understanding of how Twitch's economy worked and souring relations between the platform and creators who learned how their earnings compared to peers. The exposure of the full source code and internal security tooling was a serious long-term risk: adversaries gained a roadmap of Twitch's architecture and defensive playbook.

The attacker promised additional "parts" that never materialised at the same scale, suggesting the leak may have been opportunistic rather than part of a sustained campaign.

Why it matters

The Twitch leak is a textbook case of a single misconfiguration cascading into a total-source-code exposure. There was no sophisticated intrusion chain — just a server whose access controls were changed incorrectly. It underscores that for organisations with monolithic Git infrastructure, a configuration error can be as catastrophic as a zero-day, and that segmenting source code, payout data, and internal tooling across separate trust boundaries is essential. Leaking a company's own red-team tooling alongside its source code is a worst-case combination: it hands attackers both the map and the methodology.