In a nutshell: Sony says that it was someone outside of SIE or Naughty Dog leaked the TLoU2 spoiler footage last week, but would not elaborate. Multiple sources claim the assets were obtained through a security vulnerability coded into older ND games patches. Hackers dumping the code allegedly found AWS passwords to Naughty Dog servers.
Last week, game-ruining spoilers leaked for The Last of Us Part II, including the ending. Rumors were that an angry Naughty Dog employee had posted the game footage. The studio later issued an apology without acknowledging the alleged source of the leak.
On Friday, a Sony spokesperson said the company had "identified" the source of the leak and that it did not originate from within Naughty Dog or Sony Interactive Entertainment.
"SIE has identified the primary individuals responsible for the unauthorized release of TLOU2 assets," the Sony rep told Polygon. "They are not affiliated with Naughty Dog or SIE. We are unable to comment further because the information is subject to an on-going [sic] investigation."
Then on Saturday, a Twitter user going by the handle "PixelButts" claimed to know those who did the leaking and revealed how they obtained the footage.
Every ND game has a "final" patch that is pushed to the game that contains an Amazon AWS key, that when paired with a secret bucket ID it will give full access to the server's contents.— PixelButts (@PixelButts) May 3, 2020
Theres a different key and bucket ID per game, this is important
In a series of tweets, PixelButts explained that a hacker group consisting of Naughty Dog enthusiasts had discovered an exploit in January that allowed them to access ND's AWS servers. It seemed that password information was coded into some of ND's game patches including Uncharted 3 and The Last of Us. Both games access the servers for online play but also had file fetching functionality. The hackers allegedly used this to steal at least one terabyte of The Last of Us Part II assets.
"Every ND game has a 'final' patch that is pushed to the game that contains an Amazon AWS key, that when paired with a secret bucket ID, it will give full access to the server's contents. There's a different key and bucket ID per game, this is important," tweeted PixelButts. "[The hackers] were trying to dump TLOU1 in an effort to get that games key as UC3 had TLOU1 material, so surely TLOU1 had TLOU2?"
OK: After talking to two people with direct knowledge of how TLOU2 leaked as well as some Naughty Dog employees, I have a good idea of what happened. Short version: hackers found a security vulnerability in a patch for an older ND game and used it to get access to ND’s servers.— Jason Schreier (@jasonschreier) May 3, 2020
On Sunday, former Kotaku editor Jason Schreier tweeted that he had talked to two people with "direct knowledge" of the hack who confirmed this was how the footage obtained. He also spoke with a few Naughty Dog employees who validated the claims.
Neither Sony nor Naughty Dog has officially confirmed these reports, likely because of the ongoing investigation. However, with SIE already admitting it was an outside job, the explanation appears credible. Although, it does seem odd that enthusiasts for the game would leak such damaging spoilers for it. PixelButts claims he does not think someone from the group was responsible.
"I've been watching this for about 3 months now, and after speaking to a first hand source of this, my only conclusion is they (and their immediate circle) did not leak it, but shared information relating to what I described, and another party proceeded to leak such material," he tweeted.
PixelButt believes someone else became informed of the vulnerability, just as he did, and used the exploit to grab and expose the spoiler footage. Of course, until Sony concludes its investigation and releases more information, this is just speculatory.