Twitch leaks

October 6, 2021    Article    1713 words    9 mins read

Update

Twitch (or Amazon) issued on October 9 (yes, on a Saturday) a takedown request to my ex hosting company (Exoscale) citing that this post is infringing on their IP. Keep in mind that no torrent files are hosted on this website.

Another cool leak from 4chan, this time it’s Twitch. From what I can see so far it’s a legit leak.

Original message

We bring to you today an extremely poggers leak:

Twitch is an American video live streaming service that focuses on video game live streaming, including broadcasts of esports competitions, operated by Twitch Interactive, a subsidiary of Amazon.com, Inc.

Their community is also a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them, and in part one, are releasing the source code from almost 6,000 internal Git repositories, including:

Entirety of twitch.tv, with commit history going back to its early beginnings
Mobile, desktop and video game console Twitch clients
Various proprietary SDKs and internal AWS services used by Twitch
Every other property that Twitch owns including IGDB and CurseForge
An unreleased Steam competitor from Amazon Game Studios
Twitch SOC internal red teaming tools (lol)

AND: Creator payout reports from 2019 until now. Find out how much your favorite streamer is really making!

Torrent (128GB): magnet:?xt=urn:btih:N5BLZ6XECNEHHARHJOVQAS4W7TWRXCSI&dn=twitch-leaks-part-one&tr=udp%3A%2F%2Fopen.stealth.si%3A80%2Fannounce
Repository listing: https://dpaste.org/MvoM

Jeff Bezos paid $970 million for this, we're giving it away FOR FREE.

#DoBetterTwitch
magnet:?xt=urn:btih:N5BLZ6XECNEHHARHJOVQAS4W7TWRXCSI&dn=twitch-leaks-part-one&tr=udp%3A%2F%2Fopen.stealth.si%3A80%2Fannounce

Creator payouts

For the pervs interested:

Amouranth: $92.949 on September 2021
Pokimane: $38.217 on September 2021
moonmoon: $83.685 on September 2021
pestily: $105.107 on September 2021
shroud: $96.359 on September 2021
moistcr1tikal: $117.959 on September 2021

and many more.

BREAKING NEWS: I looked inside the archives and you wouldn't believe what I found!

The leaker appears to be a person named Four “4chan” Chan, so I called my friends at the CKGB (the Chinese KGB) and they confirmed the leaker is the person below.

Secrets exposed

modtools/slack-reminder/slack_webhook.php

// General settings
$team_id = 'T1YRBFJNT';
$admin_room_id = 'G1ZFUGXU6';
$general_room_id = 'G1ZG2HADB';
$allowed_tokens = array('XfnQ3d4iSmMgLYdC9W8HBKx4' /* /duty */,
						'TYccA5utJfqk85Oumbiz02T2' /* /duty2 */,
						'WXYoS0AI6H6Zv1DKa3G6cvzZ' /* /time */);
$bot_token = 'xoxb-68273290868-dP6DCcKLbCIAarY84IrK8bh9';


// Connect to DB to do our stuff
$mysqli = new mysqli('leviathan-mysql-prod.cjmd1imzurdd.us-west-2.rds.amazonaws.com', 'slack_reminder', 'UqM6x9AB9jkjpnO9', 'slack_reminder');

modtools/firehose-chat-logger/main.go

	// Open the SQL connection
	db, err := sql.Open("mysql", "chatlogs:F8xB9NDMSw1KTldF@tcp(leviathan-chatlogs-mysql-prod.cjmd1imzurdd.us-west-2.rds.amazonaws.com:3306)/chatlogs?charset=utf8mb4,utf8")

modtools/better-desk/_functions.php

$DESK_API_DOMAIN = 'https://help.twitch.tv';
$DESK_API_KEY = 'QIpVTAyrppviIfEKg5Nj';
$DESK_API_SECRET = 'fM3KQ8MUovELgKofqA4l4HVZgdnSIJxrb1S9Ht1E';

modtools/leviathan/config/database.yml

  database: leviathan
  username: leviathan
  password: QPOlnPlhyu5865sh
  host: 'leviathan-mysql-prod.cjmd1imzurdd.us-west-2.rds.amazonaws.com'
  port: 3306

modtools/imap-to-desk-importer/db_to_leviathan.php

$mysqli = new mysqli('betterdesk-mysql.cunim1xnmwzu.us-west-1.rds.amazonaws.com', 'twitch_reports_write', 'QjghE4wuAN8CP55g', 'twitch_reports');

and many many many others. Maybe they should use their own Secret Surfer (security/secretsurfer) to scan their own repos for secrets? Just thowing some ideas, I don’t know.

# Secret Surfer
Secret Surfer is a tool to scan the history of a Git repository for secrets. It uses a combination of pattern matching
and entropy with the goal of keeping the signal-to-noise ratio high and false positive figure low. It can additionally
check if a given secret is still active for certain types (including AWS access keys).

What makes it unique is its speed. It can scan very large repositories in minutes. As a single example, Twitch's Puppet
repository (which has close to 70 thousand commits) can be scanned in under 2 minutes. Speed scales up with more CPU
cores, so throwing more compute at it will make it faster (probably with diminishing returns above 40ish cores).

It's a very new tool and still has some rough edges. These will be incrementally improved over time.

Internal hosts exposed

  • bastion-staging.xarth.tv
  • bastion.xarth.tv
  • dev.xarth.tv
  • pkgs.xarth.tv
  • osiris.dev.xarth.tv
  • splunk.security.xarth.tv
  • sec-syslog.security.xarth.tv
  • deb.pkgs.xarth.tv
  • pypi.pkgs.xarth.tv
  • jira.xarth.tv
  • admin-panel.xarth.tv
  • wiki.xarth.tv
  • git.xarth.tv
  • beholder.xarth.tv
  • beta.beholder.xarth.tv
  • osiris-pki.security.xarth.tv
  • osiris-pki.security.dev.xarth.tv
  • internal.beholder.xarth.tv

and many others.

User reports

I have a year old stalker who we’ve reported on his throwaway accounts - you do nothing. He has done things in real life, but since you don’t care, I won’t bother explaining that he has hacked my Amazon account, added himself to payees, stolen mroe than one payment from AdSense, and comes in nightly. THANKS

Stalked me on line and real life for over the past 2 years, made multiple accounts to get around bans, even if I got his account banned he could just change his IP and make another. He started off with minor harassment (troll accounts, rude comments, DDosing and death threats). He had my IP through Skype (which is not possible any more to my knowledge) and with this he found out my location. After about a year of DDosing and stalking he decided to bring the harassment to real life by ordering pizza to my house everyday for 2 weeks and threatening to call a bomb squad to my house. He also claimed he would come to my house and murder me so this drove me to stop streaming, this was at the end of 2015 and I haven’t streamed since.

not a stream that goes by that I’m not attacked or criticized constantly for my weight. No one at twitch seems to give a remote crap either :/

Personal attacks do not phase me. They have become…tolerable somewhat because I know they will not seize. Every broadcaster will experience ‘harassment’ in some way shape or form. I understand, accept and move on from this fact. However, people have attacked my family and loved ones on social media; I have personally had my safety threatened. I do keep my personal life detached from broadcasting but it is not enough. I do not feel inclined to file reports about these incidents because they simply do not hold weight. They are hollow threats made by otherwise non-hostile people. But they exist nonetheless.

I’m a disabled streamer and I receive a lot of mocking and bullying comments in the Twitch chat. The comments range from “When are you going to die” “I hope he dies soon”. Other comments mock my Wheelchair or oxygen tubes. This occurs every steam.

I have had people in my chat asking if they can cum in my beard and also a couple death threats in the last year

Rape and death threats, sexual harassment, same old

This stuff is sickening and Twitch, Amazon and Jeff Bezos should be ashamed of themselves.

Top 10000 gross earnings

Note

You can use this online tool (does all the processing in your browser, uploads nothing, downloads nothing, the usual yadda yadda) that makes it easy to search the top 10k Twitch content creators, based on the code from twitchearnings.com. Not sure what is the license, the original website is gone.

From August 2019 to October 2021, (originally from here, removed now, local mirror, mirror, local mirror in CSV format, mirror in CSV format).

A small table (for obvious reasons) of the top 100.

PositionUsernameUserIDGrossEarning
1CriticalRole2297293539626712.16
2xQcOW710929388454427.17
3summit1g264904815847541.17
4Tfue600563335295582.44
5NICKMERCS155648285096642.12
6ludwig409346513290777.55
7TimTheTatman367690163290133.32
8Altoar292794253053839.94
9auronplay4593315093053341.54
10LIRIK231613572984653.7
11unknown173375572863780.63
12Gaules1810774732844985.18
13HasanAbi2078133522810480.11
14Asmongold262614712551618.73
15loltyler1514960272490584.9
16RanbooLive4891551602401021.84
17MontanaBlack88450448162391369.58
18ibai832328662314485.53
19Castro_1021520918232311021.81
20MOONMOON1210593192236043.55
21TheRealKnossi715885782157258.23
22moistcr1tikal1322303442098742.63
23Mizkif947530242086548.21
24CohhCarnage266102342061059.29
25shroud374021122040503.15
26AdmiralBahroo409728901985892.39
27Pestily1060137421961086.96
28Sykkuno261549781916327.43
29ESL_CSGO312395031903580.27
30LVNDMARK4276324671902807.22
31DrLupo298299121894615.81
32AdinRoss592996321854656.42
33Clix2333003751843917.31
34TeePee238443961786534.47
35Rubius392761401764965.15
36PaymoneyWubby382513121756486.29
37alanzoka382441801731716.65
38Trainwreckstv711902921572912.37
39pokimane444455921528303.11
40tommyinnit1162283901513217.7
41Maximilian_DOOD301043041499562.93
42GRONKH128750571481291.05
43sodapoppin263018811461302.14
44ZeratoR417191071440221.4
45BobbyPoffGaming2126829211415247.01
46Ninja195716411378791.48
47Philza33897681364215.61
48Amouranth1253876321363346.32
49BruceGreene592506651360850.67
50Odablock1777305781354805.74
51RayNarvaezJr858756351335520.12
52Symfuhny316883661334485.63
53dakotaz392982181324198.49
54ZanoXVII758303381310925.8
55SypherPK321400001295112.63
56Trymacs643427661288207.23
57TheGrefg488783191286765.09
58Papaplatte509856201286004.35
59JohnPitterTV388428011215717.01
60RATIRL572922931214440.08
61RocketLeague577819361204908.7
62NoWay4u_Sir853974631188728.95
63GamesDoneQuick225103101185456.44
64GernaderJake14239461176353.74
65fps_shaka492071841173280.3
66EsfandTV387461721170700.02
67buddha1367652781158170.55
68Locklear1373475491155665.61
69stylishnoob4509887501147599.76
70ANGRYPUG631644701146888.15
71Sintica358841671075977.17
72Fresh385946881073254.63
73Quackity485266261065157.18
74RonnieRadke4630866911063989.05
75RiotGames36029255
76KYR_SP33DY110012411052545.35
77Gladd816286271045687.54
78juansguarnizo1215102361034709.27
79Bugha825249121034227.61
80NickEh30444246311027976.4
81Tubbo2231915891000504.31
82Pikabooirl27992608994116.76
83RatedEpicz50237189987866.88
84Swagg39724467984854.8
85Shotz112822444984477.46
86CDNThe3rd14408894976750.53
87Tumblurr77827128960316.77
88Aydan120244187953042.02
89ops1x185619753947355.14
90scump13240194946332.99
91BarbarousKing56865374933633.48
92julien85581832918684.35
93mang026551727916857.66
94Kitboga32787655915795.53
95chocoTaco69906737913022.39
96alexelcapo36138196911427.22
97Anomaly76508554908794.96
98Jerma98523936415906602.0
99The8BitDrummer63321379895020.23
100TSM_ImperialHal146922206886999.17

To get the UserID from the Username, use https://api.ivr.fi/twitch/resolve/USERNAME, for example, to get Asmongold’s UserID you visit https://api.ivr.fi/twitch/resolve/Asmongold.

Offensive usernames

safety-ml/conductor-offensive-usernames/offensive_usernames/protected_words.txt
vegan
homo
lgbt
gay
queer
lesbian
islam
black
trans
gender
muhammad
kid
mexican
mom
allah
mother
child
women
man
minor
god
dio
jesus
buddha
muslim
girl
boy
white
brown
indian
dad
father
disable
autism
latin
jew
blm
george
floyd
zimmerman
wife
wives
husband
daughter
son
lives
matter
china
chinese
mum
baby
babies
minority
minorities
aids
autistic
kindergarten
africa
america

Others

If you cross-reference the IP addresses from the security/notebooks/unmanaged_devices_v2.0.ipynb file with the IKnowWhatYouDownload website, you get some “cool” info. It’s not really precise (some clients give fake info to DHT) so there is that.

Heh.

The leak seems to have come from git.xarth.tv because many of the files inside twitch.zip/docs reference this domain. Goes to Amazon Midway Auth when visited in a web browser.

For some reason all internal Twitch developers use justin.tv emails.

Also, a dataset of users with ‘unmanaged devices’ connecting to the Twitch VPN can be found inside security/notebooks/unmanaged_devices_v2.0.ipynb and there is a chart there that plots the platform of those users.