First things first; if you are one of the over 140 million people with a Twitch account, go change your password and enable multi-factor authentication. Right now. Go on, we’ll wait. Then come back here for the article. Done? Cool.
Last night, an anonymous user on 4chan dumped a 125GB torrent they claimed to be “the entirety of Twitch,” from source code to user credentials. The files are available and appear genuine. It includes not only code and credentials, but an entire unreleased Steam competitor developed by Amazon — which owns Twitch — codenamed Vapor. It’s a lot. Twitch is the top live-streaming platform in the nation for gaming. There are more than 3 million unique broadcasters every month, and it’s the primary source for esports league broadcasts. It also streams the NBA G League, the National Women’s Hockey League, and Premier League soccer matches. It’s a huge source of entertainment and income for many people these days, and the leak is devastating.
Twitch was hacked, according to the poster, because “their community is a disgusting toxic cesspool”. Months ago, organized and malicious users began “hate raiding” the channels of content creators who were targeted because of their gender, ethnicity, or religion. Similar to the pandemic-related incidents of spammers broaching open Zoom meetings to spill vitriol and racial slurs, these hate raids are designed to silence the voices of creators who commit the sin of being anything other than white cis men. Many of these attacks include automated bots, which makes it difficult to target the actual perpetrators. Dozens or hundreds of genuine and automated accounts will pile on and flood the channel with hate speech. This became a problem in May after Twitch added more than 350 new tags to help viewers sort their streams by content and creator. Those tags include gender, sexual orientation, mental health issues, and many others. Naturally, the tool designed to help people find like-minded internet friends immediately backfired. When Black, trans, female, and other users became easy to identify, it opened them up to a world of abuse. Twitch told the public it had no “clear evidence” the tags were used to target creators, which is like claiming there’s no proof it was a tornado that dropped your farmhouse in Oz. In the company’s very limited defense, it has worked to ban accounts of malicious actors and even sued several they believe are responsible for many of the automated attacks. The lawsuit came after the #ADayOffTwitch campaign, in which a number of highly popular broadcasters and their followers stayed off the site to protest what they saw as a lack of action on Twitch’s part to deal with the problem. The suit and other attempts by Twitch have proven ineffective at best, because of the anonymity of the accounts involved. Part of the problem is that, unlike your average Facebook user, many Twitch subscribers are tech-savvy. Methods to circumvent security are discovered almost as fast as the measures are implemented, and shared among the troll community. Much like Facebook and Twitter, financial concerns at Twitch make them loath to do anything that might impact subscriber numbers. They could, for example, more drastically limit the number of accounts linked to a single email address; they do not. Creators are often left to their own devices when it comes to moderation, with little to no professional support. Twitch has begun banning all accounts associated with an email address spewing hate speech and phone verification requirements for chat on channels that implement it. This is seen by many creators as too little too late and puts the impetus on victims of such attacks, rather than the company making phone verification mandatory for everyone. As Twitter demonstrates on a daily basis, toxic interactions breed in an anonymous environment. Unlike Twitter, however, Twitch is a significant source of income for many of its users. Despite this, the attacks continue with little support from the company relying on their live streams.
As of 8:30 EST, there is no official response to the leak. Twitch has yet to make a statement on Twitter or to the press, but I’ll update when they do. The leak is certainly a blow to the platform and its millions of benign users, and with luck account holders will protect their identities before anything crucial is stolen. But the leak never would have occurred had Twitch simply protected its vulnerable client base in the first place. It chose not to, and this is the result. We’ll see if anything changes moving forward.
Header Image Source: Twitter screenshot