A catastrophe at Twitch
The entire code base leaked online. Now what?
Sometime in the past few days, someone committed one of the more audacious data heists in recent history. Details of how the theft went down are so far unknown. But the result is that the entirety of Twitch, Amazon’s increasingly popular live streaming service, is now available for download. "Jeff Bezos paid $970 million for this,” the person who posted the file wrote in a forum post. “We're giving it away FOR FREE."
The entirety of Twitch’s source code with comment history “going back to its early beginnings”
Creator payout reports from 2019
Mobile, desktop and console Twitch clients
Proprietary SDKs and internal AWS services used by Twitch
“Every other property that Twitch owns” including IGDB and CurseForge
An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios
Twitch internal ‘red teaming’ tools (designed to improve security by having staff pretend to be hackers)
Vice compared the reported creator payouts to its own channel and found that the data is accurate. (It also reported that the torrent file is 135GB, not 125GB. Sorry but I won’t be downloading it myself to check!)
Almost immediately, someone posted a searchable database and leaderboard for all Twitch creators. Among other things, it shows that 81 creators have earned $1 million or more between August 2019 and today; the top account, the role-playing game channel CriticalRole, has earned $9.6 million.
This data is a gold mine for anyone trying to understand the streaming corner of the creator ecosystem. And while some creators will no doubt find it embarrassing to have their payouts leaked, in many ways these numbers are the least of Twitch’s worries.
To understand how something like this could have happened — and to get a sense of what might happen next — I spent the day talking with a couple former Twitch engineers who were familiar with the situation. What I learned suggests that Twitch might be in for an extremely rough time.
First, some context. Twitch is best known as a place where people broadcast themselves playing video games. And people who play videos games tend to attract some of the most hostile commentary, harassment, and abuse that you will ever see.
After a slow start, Twitch has worked to make progress on its trust and safety issues. Earlier this year, I wrote about how the company developed a plan to investigate off-platform abuse when creators face allegations of bad behavior. More recently, it introduced new tools to help streamers block “hate raids” — a phenomenon where abusers program bots to flood chats with slurs and insults. It also sued two people conjunctions with hate raids — an action you almost never see a platform take against its own users, and one that speaks to Twitch’s commitment to solving the problem.
In their note on 4chan, the apparent hacker suggested that the company’s difficulty reining in bad actors had led them to act. "Their community is … a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them,” they wrote in part.
Take all that with a grain of salt — I’m rarely inclined to take an anonymous hacker at their word when it comes to motivations — but it seems like the attack may have had at least something to do with Twitch’s recent trust and safety track record.
So how did the attack happen? For the moment, no one knows.
“We're currently investigating the issue and will have more to share as we have additional detail,” the company told me.
But according to the former engineers I spoke with, Twitch had a notoriously lax approach to internal security that, in the view of some, made an incident like today’s more likely.
Among the issues they identified:
The company did not develop an effective model to counter internal threats — that is, employees who might seek to steal data or cause other problems.
Every engineer could clone every code repository, making it possible for someone to essentially copy and paste the entire code base.
Despite being owned by Amazon since 2014, Twitch still has its own information security practices, which are generally weaker.
“No other company has this level of facepalm,” one engineer told me. (One further illustration of their point: more than a year after leaving the company, their account still had a “staff” badge, granting it extra administrative privileges.)