clock menu more-arrow no yes

Filed under:

Twitch’s security problems started long before this week’s hack

New, 1 comment

Bad security practices made the breach seem inevitable to former employees

Illustration by Alex Castro / The Verge

A massive security breach at Twitch has exposed a wealth of information pertaining to the website’s source code, unreleased projects, and even how much the top streamers make. As data analysts and journalists work to decipher what exactly is contained in the hundreds of gigabytes of information, others are still wondering how this happened.

Such a breach seemed like it was increasingly likely to some. The Verge has spoken to multiple sources who claim that during their time at Twitch, the company valued speed and profit over the safety of its users and security of its data.

This data breach, which Twitch blames on an error to a server configuration, is the latest in a series of security and moderation problems that have plagued the Amazon-owned streaming platform. In August, hate raids in which marginalized streamers were subjected to uncontrollable numbers of bots spamming hate speech erupted across Twitch.

Streamers banded together to create the #twitchdobetter hashtag and organized a walkout on September 1st to bring attention to the problem and spur Twitch to deploy safety measures to stem the hate tide. In response, Twitch acknowledged streamers’ complaints, urged patience, and promised it was working on tools that would help to better protect streamers and their communities.

“You’re asking us to do better, and we know we need to do more to address these issues,” Twitch said in its response.

But hate raids didn’t just suddenly appear this summer and, according to a former Twitch employee, alarms were raised about the potential abuses of raids long before their hate variety exploded in August.

One source, who spoke to The Verge on the condition of anonymity, worked at Twitch from 2017 to 2019. They described an atmosphere where employees were very concerned about safety but management less so.

“There would be constant questions and discontent about the regular moderation failures,” the source says, explaining that management would respond to that discontent, “very slowly.”

This source claims raids were internally discussed as being a vector for harassment just by virtue of their name alone and that the team had to rush to secure the feature before it went live. The source characterizes Twitch as a place foremost concerned with the bottom line. If it wasn’t generating revenue, then it wasn’t valued as highly.

Twitch has reset everyone’s stream keys.

Another source tells The Verge that Twitch has regularly chosen not to disclose security issues it has faced. An unreported security problem occurred in 2017, according to the source, and opened up the platform to new risks.

Scammers were allegedly able to contact streamers requesting revenue sharing from Twitch Prime subscriptions, and the source claims it led to Twitch accounts being connected to compromised Amazon accounts.

The source notes that attackers can now see the shortcuts and APIs for internal Amazon services thanks to this leak. Because Amazon’s Prime Gaming offers revenue to streamers through subscriptions, the source warns it could be a fresh attack vector for hackers aiming to make money.

Multiple sources describe Twitch as a company that pays “lip service” to safety, but that doesn’t back up its words with action. While Amazon owns Twitch, the streaming service was given full control over its technology stack. That’s meant Twitch uses a lot of third-party services that Amazon has traditionally avoided. Twitch was on Slack before Amazon eventually adopted it, and two sources say Twitch has struggled to perform effective audits on the software and tools it has been using in the past.

The same source claims they were also being asked to “approve and review documents” months after they had left Twitch.

All of this adds up to the type of messy environment where a configuration mistake, like the one that happened this week, seemed inevitable. Twitch suffered some type of security issue in 2015, which led to unauthorized access on some accounts. This new breach has exposed a massive amount of internal data to the internet, leaving Twitch with no option but to address it publicly.

Twitch is now racing to work out exactly how much data has been stolen in this hack. “As the investigation is ongoing, we are still in the process of understanding the impact in detail,” says Twitch. While Twitch investigates, hundreds or thousands of people are now tearing apart its most inner secrets.