Poor security practices made breaches inevitable for former employees
A massive security breach at Twitch has exposed a wealth of information related to the website’s source code, unpublished projects, and even how much top streamers earn. As data analysts and journalists work to understand exactly what is in the hundreds of gigabytes of information, others are still wondering how it came to be.
Such a violation seemed to increase the likelihood of it for some. ledge has spoken to several sources who claim that during its time at Twitch, the company valued speed and profit over the safety of its users and the security of their data.
This data breach, which Twitch has blamed for an error in server configuration, is the latest in a series of security and moderation problems that have plagued the Amazon-owned streaming platform. In August, a hate raid in which marginalized streamers were subjected to an uncontrollable number of bots spammed hate speech across Twitch.
Streamers banded together to form the #twitchdobetter hashtag and organized a walkout on September 1 to call attention to the problem and prompt Twitch to deploy security measures to stem the tide of hate. In response, Twitch acknowledged streamers’ complaints, urged patience, and promised that it is working on tools that will help better protect streamers and their communities.
“You’re asking us to do better, and we know we need to do more to address these issues,” Twitch said in its reply.
We’ve seen a lot of conversations about botting, hate raids, and other forms of harassment targeting marginalized creators. You’re asking us to do better, and we know we need to do more to address these issues. This includes an open and ongoing dialogue about manufacturer safety.
— Twitch (@Twitch) 11 August 2021
But hate raids didn’t pop up suddenly this summer and, according to a former Twitch employee, alarm was raised about the potential abuse of raids long before their hate variety exploded in August.
a source who spoke ledge On condition of anonymity, worked at Twitch from 2017 to 2019. He described an environment where employees were very concerned about safety but management less.
“There will be constant questions and dissatisfaction about routine moderation failures,” the source says, explaining that management will respond to that dissent, “very slowly.”
This source claims that the raid was discussed internally as a vector for harassment based only on his name and that the team had to rush to secure the facility before it went live. Source characterizes Twitch as the most important place to relate to the bottom line. If it wasn’t generating revenue, it wasn’t worth that much.
Another source states ledge That Twitch has routinely chosen not to disclose the security issues it has faced. According to the source, an unreported security issue occurred in 2017, and it opened the platform to new risks.
Scammers were reportedly able to contact streamers requesting revenue sharing from Twitch Prime subscriptions, and the source claims that this led to Twitch accounts linked to compromised Amazon accounts.
The source notes that attackers can now look for shortcuts and APIs for internal Amazon services thanks to this leak. Because Amazon’s Prime Gaming provides streamers revenue through subscriptions, the source warns that this could be a new attack vector for hackers aiming to make money.
Several sources describe Twitch as a company that pays “lip service” for security, but it doesn’t back its words with action. While Amazon owns Twitch, the streaming service was given full control over its technology stack. This means that Twitch uses a number of third-party services that Amazon has traditionally avoided. Twitch was on Slack before Amazon eventually adopted it, and two sources say Twitch has struggled in the past to conduct effective audits on the software and tools it was using.
The same source claims that he was also being asked to “approve and review documents” months after leaving Twitch.
It all adds up to the type of messy environment where a configuration mistake, like the one that happened this week, seemed inevitable. Twitch encountered some sort of security issue in 2015, which led to unauthorized access to some accounts. This new breach has exposed massive amounts of internal data on the Internet, leaving Twitch with no option but to publicly address it.
Twitch is now in a race to find out how much data was stolen in this hack. “As the investigation continues, we are still in the process of understanding the effect in detail,” Twitch says. While Twitch investigates, hundreds or thousands of people are now cracking its most innermost secrets.