The Great Twitch Data Breach of 2021

The Twitch Data Breach Lead Up - Hostility And Hate Raids

To say that early 2021 was a turbulent time for Twitch would be a massive understatement. The Covid pandemic had forced many people indoors. They were working from home or not working at all. They couldn't leave the house to seek their entertainment. As a result, Twitch's popularity exploded. Their concurrent viewership numbers went from 1.26 million in 2019 to a staggering 2.84 million in 2021.

The relatively tech-savvy and gaming-interested community of the early days became dwarfed by the general populace of the greater online community. Arguably, that had been happening since around 2016, but the flood of pandemic users accelerated the process by a magnitude. Over 100% community growth in two years was bound to cause crashes.

Hate communities started to single out minority streamers and 'raid' them en masse. A Twitch raid allows a streamer to dump all of their users into another channel at once. Normally this is a blessing, but in this case, it was a curse. The bigots would gather in one person's channel, and then unleash their racial and sexual slurs and general spam on the minority streamer and their entire community. It became so commonplace, the technique was used on streamers that some people simply didn't like, or who held certain political or social opinions.

Twitch was having a lot of trouble detecting and dealing with these hate raids. When added to the spambots and other disruptive automation, their security and moderation staff simply couldn't keep up with the flow of stupidity and bigotry that was washing over their platform like toxic sludge. Early September saw a streamer-organized boycott entitled "A Day Off Twitch". Content creators effectively went on strike to protest the lack of action on the hate raid situation.

The Happening - Twitch Data Breach of 2021

Whether this was the specific reason that the hackers chose to act, or whether something else was the last straw, is unknown. What is known is that the hackers announcing the data breach on 4Chan called Twitch's community 'a disgusting, toxic cesspool'. They said:

;…to foster more disruption and competition in the online video streaming space, we have completely pwned them.'

According to Twitch, an errant server configuration change is what allowed the hackers to gather 135 gigabytes of internal data, package it, and release it to the public with no filters. It contained source code, internal configuration data, dev tools, infosec breakdowns, and the biggest prize: Streamer contract payouts for just about every major and minor Twitch deal you can imagine.

Twitch quickly released a statement in response to the hack:

'We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this.'

They didn't go into much. On October 7th, Twitch reset all streamer keys to prevent people from potentially impersonating or hijacking a streamer. But that was just the start of their issues.

Enraged streamers and their communities lambasted Twitch and Amazon's lack of security. Even factoring in the chaos that the pandemic caused, and the fact that a lot of Twitch's staff was also working from home, didn't excuse the company's management from neglecting literal years of security concerns.

Although individual users, usernames and passwords, and other account-based information weren't part of the leak, a major privacy incident had taken place. The financial arrangements and contract details for Twitch streamers were now public knowledge. Everyone from small up-and-comers to the biggest names in the business had their businesses laid bare.

It was a field day for Twitch's competitors. They had all of the company's internal source code. They knew exactly how their platform operated. They had access to all of the internal tools built over the years. A billion dollars in company IP was floating in the wind.

No Defense For Streamers

This great Twitch data breach of 2021 was the kind of incident that makes you feel completely helpless if you're a small business owner (or even a large media channel) who is completely reliant on someone else's platform for your livelihood. Those streamers did nothing wrong on the privacy or security side. It wasn't like other streaming platforms were advertising their robust internal security at the time. That simply wasn't a factor when deciding on what streaming platform would host their content.

And no password or privacy tool could have helped them… it just wasn't that kind of hack. The information that was released was about their business, their livelihood. And it was all information that was required by Twitch to sign these contracts in the first place.

In the aftermath, some streamers did leave the platform, but not all that many. At the time, Twitch hosted around 90% of all gaming content streamed. In the next quarter that number ticked up very slightly, but they did lose around 5% of total hours watched. That would be consistent with some of the bigger names and content houses moving their operations to YouTube Gaming. But in the grand scheme of things, it's a small blip on the radar.

The moral of the story is: Sometimes, as a user, you can do everything right as far as privacy is concerned. But if you trust the wrong people or get into bed with the wrong companies, even if there are simply not many other choices available, you can be the victim of someone else's incompetence.