Perfect Timing: Twitch Gets Compromised With Voluminous Leak Of Data Via Torrent
from the here-we-go-again dept
It's no secret that Amazon-owned Twitch has had a rough go of it for the past year or so. We've talked about most, if not all, of the issues the platform has created for itself: a DMCA apocalypse, a creative community angry about not being informed over copyright issues, unclear creator guidelines for content that result in punishment from Twitch while some creators happily test the fences on those guidelines, and further and ongoing communication breakdowns with creators. All of that, mind you, has taken place over the last 12 months. It's been bad. Really bad!
But great news: now it's even worse! Someone managed to get into the Twitch platform and leak it. As in pretty much all of it. And even some information on a Steam-rival Amazon is planning to release. Seriously.
An anonymous hacker claims to have leaked the entirety of Twitch, including its source code and user payout information.
The user posted a 125GB torrent link to 4chan on Wednesday, stating that the leak was intended to “foster more disruption and competition in the online video streaming space” because “their community is a disgusting toxic cesspool”.
The leaked Twitch data reportedly includes:
-The entirety of Twitch’s source code with comment history “going back to its early beginnings”
-Creator payout reports from 2019
-Mobile, desktop and console Twitch clients
-Proprietary SDKs and internal AWS services used by Twitch
-“Every other property that Twitch owns” including IGDB and CurseForge
-An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios
-Twitch internal ‘red teaming’ tools (designed to improve security by having staff pretend to be hackers)
As you can see, yeah, pretty much everything. And keep in mind that whoever leaked this via torrent has noted that this is "part 1". Now, while a great deal of attention is being paid to Vapor, an unreleased platform created by Amazon to compete with Steam, let's focus instead on the release of the financial compensation for Twitch creators. Because this represents yet another failure by Twitch to protect its own creative community.
How detailed are these financial records. Extremely, as it turns out, with names and dollar amounts attached so that enterprising individuals are able to rank them. For instance, my own beloved Critical Role appears to be the top Twitch earner since 2019.
The gross payouts of the top 100 highest-paid Twitch streamers from August 2019 until October 2021: pic.twitter.com/3Lj9pb2aBl
— KnowSomething (@KnowS0mething) October 6, 2021
Now, I love Critical Role and am quite pleased that they're doing so well for themselves. But I'm pretty sure they also aren't loving their exact compensation through Twitch being out there for the entire world to see. I need to avoid getting into a victim-blaming issue here, since Twitch is very much a victim of this hack/compromise/leak... but we also don't have details from Amazon as to how this leak occurred, only that it is authentic. The next question is obvious: did Twitch do something stupid that left itself vulnerable to this sort of thing?
We don't know. But this is the problem when a platform torches its reputation among its own creative like Twitch has over the last year or so. There's no goodwill in the bank for Twitch to rely on as it navigates through the fallout of all this. And, while it's worth noting that the person posting this leak claims they did so out of anger with how Twitch operates and its "toxic cesspool" of a community, the public and media framing of this leak has shown little sympathy for the platform overall.
This all comes at a time of much tribulation for Twitch, with the #DoBetterTwitch/#TwitchDoBetter hashtags at the forefront of efforts by users to demand a better service from the platform, including boycotts to demand action over hate raids. Twitch seems to be making some positive moves, but then always finds a way to do something terrible too.
If Twitch wants to start repairing this reputation, it should be in full "good PR" mode: admit what happened, be transparent, do not talk about other great things you've done, build a plan to repair this. Sadly, given Twitch's history, it's an open question whether it will do the right thing or not.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data leak, live streamers
Companies: amazon, twitch
Reader Comments
Subscribe: RSS
View by: Time | Thread
Stuff like this is why trying to bring in real ID and age verification for social media is a really bad idea.
[ link to this | view in chronology ]
Well this is an extreme example of just make your own...Here have some source code.
[ link to this | view in chronology ]
That's why I am streaming on YouTube.
[ link to this | view in chronology ]
I'm fully expecting Amazon to be compromised as well.
We all know Twitch has been shit for quite a while now. The grapevine also suggests that their management is also garbage too.
[ link to this | view in chronology ]
Re:
My guess is that it's an inside job by either current or former employee of Twitch/Amazon based on the scope and content of the leak so your theory is likely to come true.
[ link to this | view in chronology ]
'Twitch is a cesspool that needs exposing!' posts a 4chan user without a hint of self awareness.
[ link to this | view in chronology ]
Re:
I found that funny too, since Twitch may be toxic, but it's nowhere near the white power shithole 4chan can get.
[ link to this | view in chronology ]
Uh Oh!!!
Amazon just got Twitch-slapped!!
Still, when platforms don't design a concept around rock-solid security foundations, what do you expect?
Gary Numan predicted this in 1979, https://www.youtube.com/watch?v=TD1ODWNWXgY
Maybe they should have applied this network security patch, https://www.youtube.com/watch?v=JAmCQZ8bwcQ
[ link to this | view in chronology ]
Victim-blaming issue?
Yeah, no. Victim-blaming is something to be avoided when some poor schmuck gets their password swiped. When a trillion-dollar company like Amazon fails to secure customer data, they deserve to be blamed.
[ link to this | view in chronology ]
Re: Victim-blaming issue?
Whereas, I don't personally care whether the person who left their car unlocked overnight is a billionaire or someone who doesn't know if they have enough cash to pay for tomorrow's commute. They should have been more careful, but the person who stole the car is still to blame.
[ link to this | view in chronology ]
Re: Re: Victim-blaming issue?
For the car, sure. But for the private information of millions of customers the owner of the car left lying on the backseat, I blame the one who left them there.
And I would still blame them for doing that even if the car wasn't actually stolen that night.
[ link to this | view in chronology ]
Re: Re: Re: Victim-blaming issue?
In that case the blame could be shared, but the majority of the blame still belongs with the guy who decided to commit a crime. Doubly so if he then uploaded all those documents to be shared with random people on the internet.
[ link to this | view in chronology ]
Re: Re: Re: Re: Victim-blaming issue?
"...but the majority of the blame still belongs with the guy who decided to commit a crime."
It's not really the same malfeasance.
Casual negligence or reckless endangerment is very much NOT related to theft and burglary. The car thief is only to blame for stealing the car.
The one abusing the trust of their clients and customers by failing to handle their data with due confidentiality is something else.
There are two blames to be administered and they have nothing to do with one another.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Victim-blaming issue?
"The one abusing the trust of their clients and customers by failing to handle their data with due confidentiality is something else."
Is it though? The vast majority of cases I'm aware of are on the same level as someone forgetting to lock a door rather than equivalent to someone deliberately endangering people.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Victim-blaming issue?
"The vast majority of cases I'm aware of are on the same level as someone forgetting to lock a bank vault rather than equivalent to someone deliberately endangering people."
Had to fix that for you.
If what you keep is nonessential or generally available data then locking the door might not be an issue. If what you have locked away is the private and confidential information of other people then failing to lock up means you have indeed endangered people.
And if you did this by deliberately not keeping acceptable security then that's very much not excusable.
Thus there are two types of blame for two types of crimes to be assigned. One where a fraudulent platform fails to properly safeguard the information they lift from their gullible consumers, and one active miscreant who exploits the security flaws to make off with the goods.
It's not "victim-blaming" to cast blame on the platform when the platform in question has as sole complaint that someone snuck in and made off with the property of third parties which the platform had utterly failed to properly secure.
Yeah, we can blame the hackers. And we can also blame the platform for running with a templated "best effort" security solution guarding the data they held.
[ link to this | view in chronology ]
It seems to be a weekly event an American company with millions of users get hacked. The difference is thier source code also got released . What value the source code of a streaming service is , is hard to say since a streaming service requires 1000s of servers to operate and Microsoft had a better service which simply did not attract enough viewers to survive there needs to be maybe some fine by regulators for company's that do not take basic prequations to protect user data
[ link to this | view in chronology ]
Re:
While the source code got released here and gets the headlines, that's not the real problem with this hack. They didn't only get source code, they got customer financial data, they got internet network configurations, they got operating practices with how they deal with security, and they got all sorts of business information on current and previous projects. That's a hell of a lot more problematic than them having source code available and some people potentially have a field day with it if they operated security through obscurity.
We can discuss punishment when we find out what exactly went wrong (though the scope of the leak to me suggests something other than basic infosec failure), but in the meantime let's not pretend that it's just a leak of something that has no major implications on its own.
[ link to this | view in chronology ]
Seecuring from act of idiot.
Things like this are why I long ago stopped using any but disposable addresses with web sites. Any site refusing disposable addresses is presumed to have criminal intent and I drop them like an angry porcupine.
Since some here will need this spelled out: Events like this make it clear that web information cannot be meaningfully secured. Disposable addresses can be shut off trivially if compromised. I use disposable payment card numbers for the same reasons, sites refusing go on the crook list. My data and financial integrity are more important than whatever delusions others may have about "real" information. Its valid if you use it, and no legitimate reasons exist for not working with what is presented.
[ link to this | view in chronology ]
Re: Seecuring from act of idiot.
Anyone with an inkling of tech-savviness and security takes precautions, average Joe/Jane that just want things to work doesn't.
It all comes down to that many companies actually doesn't care about security that much since it costs money. They make a token-effort to mitigate the common security issues and when it fails it's mostly their customers that end up with their ass swinging in the breeze while the company noncommittally say they will do better to soothe some ruffled feathers.
[ link to this | view in chronology ]
We don't know how the hackers got acess to the data twitch might have good security systems some company's don't don't basic things like hash user data and passwords they'll have to build a new security network change all passwords to avoid being hacked twice
[ link to this | view in chronology ]
Re:
Erm I don't think user passwords are even in the list of leaked materials in this particular case.
They could be compromised but there's other problems.
[ link to this | view in chronology ]
Re:
Based on the scope of the leak, I suspect an inside job of either current or former employee.
[ link to this | view in chronology ]
Re:
My guess is that someone didn't configure their bucket on AWS correctly. It happens all the time and then they are publicly available and can quite easily be found by some scanning-tools.
[ link to this | view in chronology ]
Not enough data.
Cesspool?
Lets ask those that watch, why they watch the cesspool stuff?
Dont just call names and think it means much. Why do you think people LIKE REAL PEOPLE.
Think its more exciting then the boredom of watching a person NOT get pissed at Dying in games for the 33rd time?
How confused are the internet corps?
So confused as to wondering What idiotic BS is happening NEXT.
Between the Different governments, Even our own, the Aussies, the middle east, china. All trying to find ways to regulate LOCALLY. But also have impact around the world?
(waiting for Murdoch to get Sue'd in Australia, if and when he closes Comments down on ALL of his news sites).
If all of this is true and such.
How many people Believe the internet is SAFE?
Safe from what?
Still get Bots, trackers, Popups, this and that, and even a few Virus.
WE COULD fix some of this by re-inventing the net protocols and Data transferred with every file and email.
But nope. WE invented the biggest Spy network in the world.
[ link to this | view in chronology ]
It bears saying...
If you have a Twitch account and haven't done so yet, change your password and enable two-factor authentication.
Better safe than stupid.
[ link to this | view in chronology ]