avatarMartin van Soest

Summary

Twitch experienced a significant data breach that exposed 125 GB of sensitive data, including source code and streamer payment details, prompting discussions on the platform's security and community toxicity.

Abstract

On October 6, 2021, an anonymous user leaked a substantial amount of Twitch's data, revealing proprietary source code, internal tools, and payment information of streamers from 2019 onwards. Twitch acknowledged the breach, attributing it to a server configuration error that was exploited by a malicious third party. The company has since taken measures to enhance security, such as resetting stream keys, and assured users that no login credentials or credit card information were compromised. The incident has sparked renewed criticism of Twitch's handling of community issues, particularly the prevalence of hate raids and toxic behavior. The leaker, who posted the data on 4chan, criticized Twitch's community and referenced the #DoBetterTwitch movement, which calls for improved moderation and safety measures. The breach has raised concerns about the potential misuse of the exposed data and the implications for Twitch's future, as well as for Amazon, its parent company. The hacker's motivations appear to be a mix of highlighting Twitch's shortcomings and a desire for notoriety, as they plan to release more data. The incident is expected to lead to significant changes in Twitch's security practices and possibly its management structure.

Opinions

  • The author suggests that Twitch's description of the breach as "some data" is an understatement, considering the volume and sensitivity of the leaked information.
  • There is skepticism about the effectiveness of Twitch's security measures and the company's commitment to user safety, with references to past incidents and criticisms from The Verge.
  • The hacker's message is characterized as juvenile and lacking a clear, ethical motive, with the leak seeming to be more about personal glory and exploiting an opportunity rather than a genuine attempt to improve Twitch's practices.
  • The article implies that the hacker's anonymity and the ease of accessing the leaked data could make it difficult to hold the perpetrator accountable.
  • The author expresses concern about the potential legal consequences for the hacker, especially given the FBI's track record in pursuing cybercrime, and questions whether the hacker is aware of the severity of the potential punishment.
  • There is a sense of anticipation regarding the fallout from the breach, including how Twitch and Amazon will respond, the impact on Twitch's users, and what the next set of leaked files might reveal.

Making Sense of Twitch’s Data Leak

What will happen to Twitch and the data?

Look at him hacking away! Image by Robinraj Premchand from Pixabay

Twitch messed up Security

Twitch, a gamer’s streaming platform, got hacked. And not just any old hack. This thing is huge. I wonder what will happen next.

So far, there is no denying and their communication is open and to the point.

We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.

Updates on the Twitch Security Incident, October 6/7, 2021

Reports state that about 125 Gb of data was released on the internet. Interesting. Interesting. That’s what they call ‘some data’.

I am also curious as to how this will affect Twitch and its users. They assure gamers that no login credentials have been exposed and that no credit card information is stored on their server.

Additionaly, they put up some safety measures, most notably being the reset of stream keys. It must be quite a reassurance that no one can hi-jack your stream… I mean: what’s the worst that can happen?

Twitch Got Pwned — what happened exactly?

On the 6th of October an anonymous user posted ‘part 1’ of what he/she/they had acquired from Twitch. Amongst the contents were source code, developer tools and a whole bunch of other proprietary stuff and also… Payment details to their streamers. From 2019 until now.

Nothing was disclosed about how the files were taken. Twitch itself was more forthcoming about this. They did state, however:

“We bring to you today an extremely poggers leak”

Releasing this is poggers, apparently. What the message poster didn’t think was cool, was the Twitch Community: “Their community is also a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them”.

Toxic cesspool? Coming from someone at 4chan, it must be bad!

He additionally states “Jeff Bezos paid $970 million for this, we’re giving this away FOR FREE”.

I find the message rather puzzling. The hacker takes pride in releasing the files, rants about the community, pulls Bezos into it as well. The message ends with #DoBetterTwitch.

Image by Nimendra on Twitter, found in the #DoBetterTwitch-feed

The message has since been removed, but it is very easy to find. Just use the hashtag above on Twitter. It’s never been so easy to research an article. But I still need to decode it. I admit I had to look up ‘poggers’, so chances are that you find the article not as puzzling.

Making Sense of the Message

Recently #DoBetterTwitch was trending. The topic at hand: hate messages being flooded towards users in so-called ‘hate raids’. Users target a poor streamer and send a multitude of bots to watch a channel. Not to enjoy the show, but to overwhelm the chat with hateful messages.

Some streamers have reported that they themselves had been banned after being targeted in a hate raid. All the more reason for Twitch-users to appeal to Twitch to do something to make the community a better place. Hence, the hashtag #DoBetterTwitch was born.

Apparently, Twitch didn’t do a proper job according to the post in 4chan. He clearly refers to the toxic community and the hashtag that is associated with it.

The message makes sense now. Or does it?

Then again, referring to Bezos and calling the stunt extremely poggers, leads me to believe that the message is just rather juvenile. Just pack some popular opinion along in your dream of going viral. I don't think the post had much of a motive for leaking the data.

I have once heard that when people are asked why they don’t steal, the most common answer is to be afraid of getting caught. Also, a major reason to commit a crime is that an opportunity presented itself. I don’t know how statistically sounds these ‘facts’ are, but I think the latter is the real motivation for the hacker's action: it was there.

That doesn’t take away the fact that all acquired data was made publicly available. Not much of an ethical hacker, this guy. A lot of companies offer Bug Bounty-rewards for people pointing them to a breach in security. ) But clearly, the poster doesn’t worry about getting caught. The internet is an anonymous place after all.

By the way, after reading about the Twitch-incident, I wonder why Medium’s program is on hold.

The Data Has Leaked. So Many Questions

While Twitter is investigating the matter (“Our teams are working with urgency to investigate the incident.”), the anonymous figure is preparing his next move. The next batch of files is expected to be released next Monday.

I wonder about these things mainly:

  • what will happen to the data?
  • what will happen to Twitch?
  • will the hacker be caught?

What will happen to the data?

It won’t be too hard to track down and download the leaked files. Anyone with malicious intent can browse Twitch’s files at their leisure and maybe wreak havoc on the company and it’s users. Only time will tell how ingenious the hacks of those parties will be.

The piece of data that has been spread and analyzed a lot, is the revenue of the streamers on the platform. I am happy to see what my favourite streamers are making. Looking at those figures, I think we have a long way to go here at Medium. See for yourself:

Monthly payout for some streamers according to @KnowSOmething on Twitter

Knowsomething stresses that “this does not include donations, sponsors, merch, etc”. Is anyone out there already selling Medium-merch?

Twitch is owned by Amazon and some of their code has been released into the wild as well. I expect Amazon will be affected by this. It may or may not affect their security as well.

What will happen to Twitch

I think it is unlikely that Twitch will disappear after this juicy scandal, but I think we should expect things will change in the foreseeable future.

The Verge has a very incriminating article about how Twitch deals with security. Reading this has me believing that the poor developer put the code live isn’t to blame. I expect some management roll-over there soon. For example:

The source characterizes Twitch as a place foremost concerned with the bottom line. If it wasn’t generating revenue, then it wasn’t valued as highly. — The Verge

And also:

Multiple sources describe Twitch as a company that pays “lip service” to safety, but that doesn’t back up its words with action. — The Verge

I’ll keep an eye out for any updates about the security breach and how Twitch manages the upcoming years. And Amazon. I don’t expect Amazon to suffer a great blow from this, but I can tell for sure that my trust in them has plummeted. I am looking forward to their response as well.

Will the hacker be caught?

Sometimes, a gamer who hacks their game is caught live on stream. The audience response is always unanimous: you shouldn’t hack games. Twitch’s hack is another story. I’ve seen both encouragement as well as cries of outrage about the feat.

This stunt will be costly for Twitch, Amazon and maybe their users as well. If the hacker is found, I expect the sentence not to be mild.

And what are the chances of him being caught? Surely Twitch has logged where the information was downloaded from? Surely 4chan can tell officials something about the poster? My guess is as good as yours.

A UK-based solicitor writes:

Given the FBI’s unparalleled experience and resources in pursuing hackers, the USA very quickly impedes on most medium to high profile investigations and seeks to extradite those accused of any Computer Hacking Offences. The likelihood of being convicted in a US court is not only higher than in the UK, but the expected sentences are most often shockingly lengthy.

Unparalleled experience? That doesn’t bode well for the hacker. I hope it’s not some youngster who has thrown away his life for some giggles.

Although the events have been tragic, I find myself looking forward to the messages Twitch will put out, how their users' respond and also what this next batch of files will entail. The next couple of weeks should be interesting.

Want to read more on Medium? Consider subscribing by using my referral link.

Hacking
Twitch
Security
Amazon
Data Leak
Recommended from ReadMedium
avatarJonathan Mondaut
How ChatGPT Turned Me into a Hacker

Discover how ChatGPT helped me become a hacker, from gathering resources to tackling CTF challenges, all with the power of AI.

4 min read
avatarOlenin Slava
Why Zig programmers are making so much money

Are you wondering why Zig programmers make so much money? Guess what? It is not what you are thinking.

4 min read
avatarAbhay Parashar
17 Mindblowing Python Automation Scripts I Use Everyday

Scripts That Increased My Productivity and Performance

14 min read
avatarEnrique Dans
Musk, Brazil and the limits of human stupidity

The latest twist in a saga of brinkmanship involving two giant egos has seen a Brazilian judge order the blocking of access to X: in short…

4 min read
avatarVasileiadis A. (CyberKid)
Detect hidden surveillance cameras with your phone

A family recently it had a big surprise on their Airbnb: a hidden camera disguised as a smoke detector in the living room, monitoring their…

6 min read
avatarDylan Smith
Interview: How to Check Whether a Username Exists Among One Billion Users?

My articles are open to everyone; non-member readers can read the full article by clicking this link.

6 min read