Perfect Timing: Twitch Gets Compromised With Voluminous Leak Of Data Via Torrent

from the here-we-go-again dept

It's no secret that Amazon-owned Twitch has had a rough go of it for the past year or so. We've talked about most, if not all, of the issues the platform has created for itself: a DMCA apocalypse, a creative community angry about not being informed over copyright issues, unclear creator guidelines for content that result in punishment from Twitch while some creators happily test the fences on those guidelines, and further and ongoing communication breakdowns with creators. All of that, mind you, has taken place over the last 12 months. It's been bad. Really bad!

But great news: now it's even worse! Someone managed to get into the Twitch platform and leak it. As in pretty much all of it. And even some information on a Steam-rival Amazon is planning to release. Seriously.

An anonymous hacker claims to have leaked the entirety of Twitch, including its source code and user payout information.

The user posted a 125GB torrent link to 4chan on Wednesday, stating that the leak was intended to “foster more disruption and competition in the online video streaming space” because “their community is a disgusting toxic cesspool”.

The leaked Twitch data reportedly includes:

-The entirety of Twitch’s source code with comment history “going back to its early beginnings”

-Creator payout reports from 2019

-Mobile, desktop and console Twitch clients

-Proprietary SDKs and internal AWS services used by Twitch

-“Every other property that Twitch owns” including IGDB and CurseForge

-An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios

-Twitch internal ‘red teaming’ tools (designed to improve security by having staff pretend to be hackers)

As you can see, yeah, pretty much everything. And keep in mind that whoever leaked this via torrent has noted that this is "part 1". Now, while a great deal of attention is being paid to Vapor, an unreleased platform created by Amazon to compete with Steam, let's focus instead on the release of the financial compensation for Twitch creators. Because this represents yet another failure by Twitch to protect its own creative community.

How detailed are these financial records. Extremely, as it turns out, with names and dollar amounts attached so that enterprising individuals are able to rank them. For instance, my own beloved Critical Role appears to be the top Twitch earner since 2019.

Now, I love Critical Role and am quite pleased that they're doing so well for themselves. But I'm pretty sure they also aren't loving their exact compensation through Twitch being out there for the entire world to see. I need to avoid getting into a victim-blaming issue here, since Twitch is very much a victim of this hack/compromise/leak... but we also don't have details from Amazon as to how this leak occurred, only that it is authentic. The next question is obvious: did Twitch do something stupid that left itself vulnerable to this sort of thing?

We don't know. But this is the problem when a platform torches its reputation among its own creative like Twitch has over the last year or so. There's no goodwill in the bank for Twitch to rely on as it navigates through the fallout of all this. And, while it's worth noting that the person posting this leak claims they did so out of anger with how Twitch operates and its "toxic cesspool" of a community, the public and media framing of this leak has shown little sympathy for the platform overall.

This all comes at a time of much tribulation for Twitch, with the #DoBetterTwitch/#TwitchDoBetter hashtags at the forefront of efforts by users to demand a better service from the platform, including boycotts to demand action over hate raids. Twitch seems to be making some positive moves, but then always finds a way to do something terrible too.

If Twitch wants to start repairing this reputation, it should be in full "good PR" mode: admit what happened, be transparent, do not talk about other great things you've done, build a plan to repair this. Sadly, given Twitch's history, it's an open question whether it will do the right thing or not.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data leak, live streamers
Companies: amazon, twitch


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 6 Oct 2021 @ 7:50pm

    Stuff like this is why trying to bring in real ID and age verification for social media is a really bad idea.

    reply to this | link to this | view in thread ]

  2. icon
    That Anonymous Coward (profile), 6 Oct 2021 @ 9:28pm

    Well this is an extreme example of just make your own...Here have some source code.

    reply to this | link to this | view in thread ]

  3. identicon
    Jagielski Gaming, 7 Oct 2021 @ 12:32am

    That's why I am streaming on YouTube.

    reply to this | link to this | view in thread ]

  4. identicon
    Anonymous Coward, 7 Oct 2021 @ 1:33am

    I'm fully expecting Amazon to be compromised as well.

    We all know Twitch has been shit for quite a while now. The grapevine also suggests that their management is also garbage too.

    reply to this | link to this | view in thread ]

  5. icon
    Bloof (profile), 7 Oct 2021 @ 2:39am

    'Twitch is a cesspool that needs exposing!' posts a 4chan user without a hint of self awareness.

    reply to this | link to this | view in thread ]

  6. identicon
    Bobvious, 7 Oct 2021 @ 2:56am

    Uh Oh!!!

    Amazon just got Twitch-slapped!!

    Still, when platforms don't design a concept around rock-solid security foundations, what do you expect?

    Gary Numan predicted this in 1979, https://www.youtube.com/watch?v=TD1ODWNWXgY

    Maybe they should have applied this network security patch, https://www.youtube.com/watch?v=JAmCQZ8bwcQ

    reply to this | link to this | view in thread ]

  7. identicon
    Anonymous Coward, 7 Oct 2021 @ 3:48am

    Victim-blaming issue?

    Yeah, no. Victim-blaming is something to be avoided when some poor schmuck gets their password swiped. When a trillion-dollar company like Amazon fails to secure customer data, they deserve to be blamed.

    reply to this | link to this | view in thread ]

  8. identicon
    Anonymous Coward, 7 Oct 2021 @ 5:06am

    It seems to be a weekly event an American company with millions of users get hacked. The difference is thier source code also got released . What value the source code of a streaming service is , is hard to say since a streaming service requires 1000s of servers to operate and Microsoft had a better service which simply did not attract enough viewers to survive there needs to be maybe some fine by regulators for company's that do not take basic prequations to protect user data

    reply to this | link to this | view in thread ]

  9. identicon
    Anonymous Coward, 7 Oct 2021 @ 5:35am

    Re:

    I found that funny too, since Twitch may be toxic, but it's nowhere near the white power shithole 4chan can get.

    reply to this | link to this | view in thread ]

  10. icon
    PaulT (profile), 7 Oct 2021 @ 5:37am

    Re: Victim-blaming issue?

    Whereas, I don't personally care whether the person who left their car unlocked overnight is a billionaire or someone who doesn't know if they have enough cash to pay for tomorrow's commute. They should have been more careful, but the person who stole the car is still to blame.

    reply to this | link to this | view in thread ]

  11. icon
    PaulT (profile), 7 Oct 2021 @ 5:50am

    Re:

    While the source code got released here and gets the headlines, that's not the real problem with this hack. They didn't only get source code, they got customer financial data, they got internet network configurations, they got operating practices with how they deal with security, and they got all sorts of business information on current and previous projects. That's a hell of a lot more problematic than them having source code available and some people potentially have a field day with it if they operated security through obscurity.

    We can discuss punishment when we find out what exactly went wrong (though the scope of the leak to me suggests something other than basic infosec failure), but in the meantime let's not pretend that it's just a leak of something that has no major implications on its own.

    reply to this | link to this | view in thread ]

  12. icon
    MikeVx (profile), 7 Oct 2021 @ 6:14am

    Seecuring from act of idiot.

    Things like this are why I long ago stopped using any but disposable addresses with web sites. Any site refusing disposable addresses is presumed to have criminal intent and I drop them like an angry porcupine.

    Since some here will need this spelled out: Events like this make it clear that web information cannot be meaningfully secured. Disposable addresses can be shut off trivially if compromised. I use disposable payment card numbers for the same reasons, sites refusing go on the crook list. My data and financial integrity are more important than whatever delusions others may have about "real" information. Its valid if you use it, and no legitimate reasons exist for not working with what is presented.

    reply to this | link to this | view in thread ]

  13. identicon
    Rocky, 7 Oct 2021 @ 7:27am

    Re: Seecuring from act of idiot.

    Anyone with an inkling of tech-savviness and security takes precautions, average Joe/Jane that just want things to work doesn't.

    It all comes down to that many companies actually doesn't care about security that much since it costs money. They make a token-effort to mitigate the common security issues and when it fails it's mostly their customers that end up with their ass swinging in the breeze while the company noncommittally say they will do better to soothe some ruffled feathers.

    reply to this | link to this | view in thread ]

  14. identicon
    Anonymous Coward, 7 Oct 2021 @ 7:27am

    Re: Re: Victim-blaming issue?

    For the car, sure. But for the private information of millions of customers the owner of the car left lying on the backseat, I blame the one who left them there.

    And I would still blame them for doing that even if the car wasn't actually stolen that night.

    reply to this | link to this | view in thread ]

  15. identicon
    Anonymous Coward, 7 Oct 2021 @ 9:13am

    We don't know how the hackers got acess to the data twitch might have good security systems some company's don't don't basic things like hash user data and passwords they'll have to build a new security network change all passwords to avoid being hacked twice

    reply to this | link to this | view in thread ]

  16. icon
    PaulT (profile), 7 Oct 2021 @ 10:35am

    Re: Re: Re: Victim-blaming issue?

    In that case the blame could be shared, but the majority of the blame still belongs with the guy who decided to commit a crime. Doubly so if he then uploaded all those documents to be shared with random people on the internet.

    reply to this | link to this | view in thread ]

  17. icon
    PaulT (profile), 7 Oct 2021 @ 10:37am

    Re:

    Erm I don't think user passwords are even in the list of leaked materials in this particular case.

    They could be compromised but there's other problems.

    reply to this | link to this | view in thread ]

  18. identicon
    Sacred Cow, 7 Oct 2021 @ 10:38am

    Re:

    Based on the scope of the leak, I suspect an inside job of either current or former employee.

    reply to this | link to this | view in thread ]

  19. identicon
    Rocky, 7 Oct 2021 @ 10:41am

    Re:

    My guess is that someone didn't configure their bucket on AWS correctly. It happens all the time and then they are publicly available and can quite easily be found by some scanning-tools.

    reply to this | link to this | view in thread ]

  20. icon
    ECA (profile), 7 Oct 2021 @ 12:53pm

    Not enough data.

    Cesspool?
    Lets ask those that watch, why they watch the cesspool stuff?
    Dont just call names and think it means much. Why do you think people LIKE REAL PEOPLE.
    Think its more exciting then the boredom of watching a person NOT get pissed at Dying in games for the 33rd time?

    How confused are the internet corps?
    So confused as to wondering What idiotic BS is happening NEXT.
    Between the Different governments, Even our own, the Aussies, the middle east, china. All trying to find ways to regulate LOCALLY. But also have impact around the world?
    (waiting for Murdoch to get Sue'd in Australia, if and when he closes Comments down on ALL of his news sites).

    If all of this is true and such.
    How many people Believe the internet is SAFE?
    Safe from what?
    Still get Bots, trackers, Popups, this and that, and even a few Virus.
    WE COULD fix some of this by re-inventing the net protocols and Data transferred with every file and email.
    But nope. WE invented the biggest Spy network in the world.

    reply to this | link to this | view in thread ]

  21. icon
    WarioBarker (profile), 7 Oct 2021 @ 1:46pm

    It bears saying...

    If you have a Twitch account and haven't done so yet, change your password and enable two-factor authentication.

    Better safe than stupid.

    reply to this | link to this | view in thread ]

  22. identicon
    Sacred Cow, 7 Oct 2021 @ 9:16pm

    Re:

    My guess is that it's an inside job by either current or former employee of Twitch/Amazon based on the scope and content of the leak so your theory is likely to come true.

    reply to this | link to this | view in thread ]

  23. icon
    Scary Devil Monastery (profile), 8 Oct 2021 @ 2:39am

    Re: Re: Re: Re: Victim-blaming issue?

    "...but the majority of the blame still belongs with the guy who decided to commit a crime."

    It's not really the same malfeasance.

    Casual negligence or reckless endangerment is very much NOT related to theft and burglary. The car thief is only to blame for stealing the car.
    The one abusing the trust of their clients and customers by failing to handle their data with due confidentiality is something else.

    There are two blames to be administered and they have nothing to do with one another.

    reply to this | link to this | view in thread ]

  24. icon
    PaulT (profile), 10 Oct 2021 @ 11:45am

    Re: Re: Re: Re: Re: Victim-blaming issue?

    "The one abusing the trust of their clients and customers by failing to handle their data with due confidentiality is something else."

    Is it though? The vast majority of cases I'm aware of are on the same level as someone forgetting to lock a door rather than equivalent to someone deliberately endangering people.

    reply to this | link to this | view in thread ]

  25. icon
    Scary Devil Monastery (profile), 11 Oct 2021 @ 2:26am

    Re: Re: Re: Re: Re: Re: Victim-blaming issue?

    "The vast majority of cases I'm aware of are on the same level as someone forgetting to lock a bank vault rather than equivalent to someone deliberately endangering people."

    Had to fix that for you.

    If what you keep is nonessential or generally available data then locking the door might not be an issue. If what you have locked away is the private and confidential information of other people then failing to lock up means you have indeed endangered people.

    And if you did this by deliberately not keeping acceptable security then that's very much not excusable.

    Thus there are two types of blame for two types of crimes to be assigned. One where a fraudulent platform fails to properly safeguard the information they lift from their gullible consumers, and one active miscreant who exploits the security flaws to make off with the goods.

    It's not "victim-blaming" to cast blame on the platform when the platform in question has as sole complaint that someone snuck in and made off with the property of third parties which the platform had utterly failed to properly secure.

    Yeah, we can blame the hackers. And we can also blame the platform for running with a templated "best effort" security solution guarding the data they held.

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

Introducing the new Techdirt Insider Chat, now hosted on Discord. If you are an Insider with a membership that includes the chat feature and have not yet been invited to join us on Discord, please reach out here.

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.