Perfect Timing: Twitch Gets Compromised With Voluminous Leak Of Data Via Torrent

from the here-we-go-again dept

It’s no secret that Amazon-owned Twitch has had a rough go of it for the past year or so. We’ve talked about most, if not all, of the issues the platform has created for itself: a DMCA apocalypse, a creative community angry about not being informed over copyright issues, unclear creator guidelines for content that result in punishment from Twitch while some creators happily test the fences on those guidelines, and further and ongoing communication breakdowns with creators. All of that, mind you, has taken place over the last 12 months. It’s been bad. Really bad!

But great news: now it’s even worse! Someone managed to get into the Twitch platform and leak it. As in pretty much all of it. And even some information on a Steam-rival Amazon is planning to release. Seriously.

An anonymous hacker claims to have leaked the entirety of Twitch, including its source code and user payout information.

The user posted a 125GB torrent link to 4chan on Wednesday, stating that the leak was intended to “foster more disruption and competition in the online video streaming space” because “their community is a disgusting toxic cesspool”.

The leaked Twitch data reportedly includes:

-The entirety of Twitch’s source code with comment history “going back to its early beginnings”

-Creator payout reports from 2019

-Mobile, desktop and console Twitch clients

-Proprietary SDKs and internal AWS services used by Twitch

-“Every other property that Twitch owns” including IGDB and CurseForge

-An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios

-Twitch internal ‘red teaming’ tools (designed to improve security by having staff pretend to be hackers)

As you can see, yeah, pretty much everything. And keep in mind that whoever leaked this via torrent has noted that this is “part 1”. Now, while a great deal of attention is being paid to Vapor, an unreleased platform created by Amazon to compete with Steam, let’s focus instead on the release of the financial compensation for Twitch creators. Because this represents yet another failure by Twitch to protect its own creative community.

How detailed are these financial records. Extremely, as it turns out, with names and dollar amounts attached so that enterprising individuals are able to rank them. For instance, my own beloved Critical Role appears to be the top Twitch earner since 2019.

Now, I love Critical Role and am quite pleased that they’re doing so well for themselves. But I’m pretty sure they also aren’t loving their exact compensation through Twitch being out there for the entire world to see. I need to avoid getting into a victim-blaming issue here, since Twitch is very much a victim of this hack/compromise/leak… but we also don’t have details from Amazon as to how this leak occurred, only that it is authentic. The next question is obvious: did Twitch do something stupid that left itself vulnerable to this sort of thing?

We don’t know. But this is the problem when a platform torches its reputation among its own creative like Twitch has over the last year or so. There’s no goodwill in the bank for Twitch to rely on as it navigates through the fallout of all this. And, while it’s worth noting that the person posting this leak claims they did so out of anger with how Twitch operates and its “toxic cesspool” of a community, the public and media framing of this leak has shown little sympathy for the platform overall.

This all comes at a time of much tribulation for Twitch, with the #DoBetterTwitch/#TwitchDoBetter hashtags at the forefront of efforts by users to demand a better service from the platform, including boycotts to demand action over hate raids. Twitch seems to be making some positive moves, but then always finds a way to do something terrible too.

If Twitch wants to start repairing this reputation, it should be in full “good PR” mode: admit what happened, be transparent, do not talk about other great things you’ve done, build a plan to repair this. Sadly, given Twitch’s history, it’s an open question whether it will do the right thing or not.

Filed Under: ,
Companies: amazon, twitch

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Perfect Timing: Twitch Gets Compromised With Voluminous Leak Of Data Via Torrent”

Subscribe: RSS Leave a comment
Scary Devil Monastery (profile) says:

Re: Re: Re:2 Victim-blaming issue?

"…but the majority of the blame still belongs with the guy who decided to commit a crime."

It’s not really the same malfeasance.

Casual negligence or reckless endangerment is very much NOT related to theft and burglary. The car thief is only to blame for stealing the car.
The one abusing the trust of their clients and customers by failing to handle their data with due confidentiality is something else.

There are two blames to be administered and they have nothing to do with one another.

PaulT (profile) says:

Re: Re: Re:3 Victim-blaming issue?

"The one abusing the trust of their clients and customers by failing to handle their data with due confidentiality is something else."

Is it though? The vast majority of cases I’m aware of are on the same level as someone forgetting to lock a door rather than equivalent to someone deliberately endangering people.

Scary Devil Monastery (profile) says:

Re: Re: Re:4 Victim-blaming issue?

"The vast majority of cases I’m aware of are on the same level as someone forgetting to lock a bank vault rather than equivalent to someone deliberately endangering people."

Had to fix that for you.

If what you keep is nonessential or generally available data then locking the door might not be an issue. If what you have locked away is the private and confidential information of other people then failing to lock up means you have indeed endangered people.

And if you did this by deliberately not keeping acceptable security then that’s very much not excusable.

Thus there are two types of blame for two types of crimes to be assigned. One where a fraudulent platform fails to properly safeguard the information they lift from their gullible consumers, and one active miscreant who exploits the security flaws to make off with the goods.

It’s not "victim-blaming" to cast blame on the platform when the platform in question has as sole complaint that someone snuck in and made off with the property of third parties which the platform had utterly failed to properly secure.

Yeah, we can blame the hackers. And we can also blame the platform for running with a templated "best effort" security solution guarding the data they held.

Anonymous Coward says:

It seems to be a weekly event an American company with millions of users get hacked. The difference is thier source code also got released . What value the source code of a streaming service is , is hard to say since a streaming service requires 1000s of servers to operate and Microsoft had a better service which simply did not attract enough viewers to survive there needs to be maybe some fine by regulators for company’s that do not take basic prequations to protect user data

PaulT (profile) says:

Re: Re:

While the source code got released here and gets the headlines, that’s not the real problem with this hack. They didn’t only get source code, they got customer financial data, they got internet network configurations, they got operating practices with how they deal with security, and they got all sorts of business information on current and previous projects. That’s a hell of a lot more problematic than them having source code available and some people potentially have a field day with it if they operated security through obscurity.

We can discuss punishment when we find out what exactly went wrong (though the scope of the leak to me suggests something other than basic infosec failure), but in the meantime let’s not pretend that it’s just a leak of something that has no major implications on its own.

MikeVx (profile) says:

Seecuring from act of idiot.

Things like this are why I long ago stopped using any but disposable addresses with web sites. Any site refusing disposable addresses is presumed to have criminal intent and I drop them like an angry porcupine.

Since some here will need this spelled out: Events like this make it clear that web information cannot be meaningfully secured. Disposable addresses can be shut off trivially if compromised. I use disposable payment card numbers for the same reasons, sites refusing go on the crook list. My data and financial integrity are more important than whatever delusions others may have about "real" information. Its valid if you use it, and no legitimate reasons exist for not working with what is presented.

Rocky says:

Re: Seecuring from act of idiot.

Anyone with an inkling of tech-savviness and security takes precautions, average Joe/Jane that just want things to work doesn’t.

It all comes down to that many companies actually doesn’t care about security that much since it costs money. They make a token-effort to mitigate the common security issues and when it fails it’s mostly their customers that end up with their ass swinging in the breeze while the company noncommittally say they will do better to soothe some ruffled feathers.

ECA (profile) says:

Not enough data.

Lets ask those that watch, why they watch the cesspool stuff?
Dont just call names and think it means much. Why do you think people LIKE REAL PEOPLE.
Think its more exciting then the boredom of watching a person NOT get pissed at Dying in games for the 33rd time?

How confused are the internet corps?
So confused as to wondering What idiotic BS is happening NEXT.
Between the Different governments, Even our own, the Aussies, the middle east, china. All trying to find ways to regulate LOCALLY. But also have impact around the world?
(waiting for Murdoch to get Sue’d in Australia, if and when he closes Comments down on ALL of his news sites).

If all of this is true and such.
How many people Believe the internet is SAFE?
Safe from what?
Still get Bots, trackers, Popups, this and that, and even a few Virus.
WE COULD fix some of this by re-inventing the net protocols and Data transferred with every file and email.
But nope. WE invented the biggest Spy network in the world.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...