Article Hero
News4 minutes read
April 25, 2022
  • telegram
  • facebook
  • twitter
  • github

The Great Twitch Data Breach of 2021

Twitch, the largest live streaming service in the world, has made many controversial decisions about the content that they allow and promote. Internally, the landscape was stretched and scarred from the urge to pursue constant growth. This left some resources stretched thin, and things like security testing may have fallen by the wayside.

But up until 2021, the company had been on a seven-year run of only minor cyber security incidents. The major 2014 'Urgent Pizza' hack was starting to fade in the memories of staff and investors… perhaps a little too much. Because according to reports, management kept pushing back required security audits and updates in recent years.

Then, the great Twitch data breach of 2021 happened. And as stunning as the news was to Twitch users, it was the coders and the content creators that ended up suffering the most due to the monumental data breach. The fallout of the more recent incident would send shockwaves through the Amazon-owned company, and through the streaming community in general. The curtain had been lifted on the inner workings of the biggest live streaming company in the world, and not everyone liked what they saw.

So let's talk about the details. What follows is a breakdown of the great Twitch data breach of 2021, and how it laid bare the inner workings of the largest live streaming organization in the world.


The Twitch Data Breach Lead Up - Hostility And Hate Raids

To say that early 2021 was a turbulent time for Twitch would be a massive understatement. The Covid pandemic had forced many people indoors. They were working from home or not working at all. They couldn't leave the house to seek their entertainment. As a result, Twitch's popularity exploded. Their concurrent viewership numbers went from 1.26 million in 2019 to a staggering 2.84 million in 2021.

The relatively tech-savvy and gaming-interested community of the early days became dwarfed by the general populace of the greater online community. Arguably, that had been happening since around 2016, but the flood of pandemic users accelerated the process by a magnitude. Over 100% community growth in two years was bound to cause crashes.

Hate communities started to single out minority streamers and 'raid' them en masse. A Twitch raid allows a streamer to dump all of their users into another channel at once. Normally this is a blessing, but in this case, it was a curse. The bigots would gather in one person's channel, and then unleash their racial and sexual slurs and general spam on the minority streamer and their entire community. It became so commonplace, the technique was used on streamers that some people simply didn't like, or who held certain political or social opinions.

Twitch was having a lot of trouble detecting and dealing with these hate raids. When added to the spambots and other disruptive automation, their security and moderation staff simply couldn't keep up with the flow of stupidity and bigotry that was washing over their platform like toxic sludge. Early September saw a streamer-organized boycott entitled "A Day Off Twitch". Content creators effectively went on strike to protest the lack of action on the hate raid situation.

The Happening - Twitch Data Breach of 2021

Whether this was the specific reason that the hackers chose to act, or whether something else was the last straw, is unknown. What is known is that the hackers announcing the data breach on 4Chan called Twitch's community 'a disgusting, toxic cesspool'. They said:

;…to foster more disruption and competition in the online video streaming space, we have completely pwned them.'

According to Twitch, an errant server configuration change is what allowed the hackers to gather 135 gigabytes of internal data, package it, and release it to the public with no filters. It contained source code, internal configuration data, dev tools, infosec breakdowns, and the biggest prize: Streamer contract payouts for just about every major and minor Twitch deal you can imagine.

Twitch quickly released a statement in response to the hack:

'We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this.'

They didn't go into much. On October 7th, Twitch reset all streamer keys to prevent people from potentially impersonating or hijacking a streamer. But that was just the start of their issues.

Enraged streamers and their communities lambasted Twitch and Amazon's lack of security. Even factoring in the chaos that the pandemic caused, and the fact that a lot of Twitch's staff was also working from home, didn't excuse the company's management from neglecting literal years of security concerns.

Although individual users, usernames and passwords, and other account-based information weren't part of the leak, a major privacy incident had taken place. The financial arrangements and contract details for Twitch streamers were now public knowledge. Everyone from small up-and-comers to the biggest names in the business had their businesses laid bare.

It was a field day for Twitch's competitors. They had all of the company's internal source code. They knew exactly how their platform operated. They had access to all of the internal tools built over the years. A billion dollars in company IP was floating in the wind.

No Defense For Streamers

This great Twitch data breach of 2021 was the kind of incident that makes you feel completely helpless if you're a small business owner (or even a large media channel) who is completely reliant on someone else's platform for your livelihood. Those streamers did nothing wrong on the privacy or security side. It wasn't like other streaming platforms were advertising their robust internal security at the time. That simply wasn't a factor when deciding on what streaming platform would host their content.

And no password or privacy tool could have helped them… it just wasn't that kind of hack. The information that was released was about their business, their livelihood. And it was all information that was required by Twitch to sign these contracts in the first place.

In the aftermath, some streamers did leave the platform, but not all that many. At the time, Twitch hosted around 90% of all gaming content streamed. In the next quarter that number ticked up very slightly, but they did lose around 5% of total hours watched. That would be consistent with some of the bigger names and content houses moving their operations to YouTube Gaming. But in the grand scheme of things, it's a small blip on the radar.

The moral of the story is: Sometimes, as a user, you can do everything right as far as privacy is concerned. But if you trust the wrong people or get into bed with the wrong companies, even if there are simply not many other choices available, you can be the victim of someone else's incompetence.

Will R
Hoody Editorial Team

Will is a former Silicon Valley sysadmin and award-winning non-functional tester. After 20+ years in tech, he decided to share his experience with the world as a writer. His recent work involves documenting government hacking methods while probing the current state of privacy and security on the Internet.

Latest


Blog
Timer7 minutes read

How the Government Hacks You, Final Chapter: IoT Hacks

Chapter 14: IoT Hacks

Will R
6 months ago
Blog
Timer9 minutes read

How the Government Hacks You, Chapter 13: GPS Tracking

Dive into the unsettling world of government-controlled GPS tracking!

Will R
6 months ago
Blog
Timer7 minutes read

How the Government Hacks You, Chapter 12: Garbage Day

Trash Talk: How your garbage can be exploited by hackers, law enforcement, and government agencies

Will R
7 months ago
Blog
Timer8 minutes read

How the Government Hacks You, Chapter 11: Resonance Attacks

It’s time to uncover how government surveillance gets personal.

Will R
7 months ago

Bulletproof privacy in one click

Discover the world's #1 privacy solution

  • Chrome Icon
  • Brave Icon
  • Edge Icon
  • Chromium Icon
  • Coming soon

    Firefox Icon
  • Coming soon

    Safari Icon
  • Coming soon

    Opera Icon

No name, no email, no credit card required

Create Key