The DeanBeat: Twitch hack exposes more industry secrets

Perhaps the lesson of the leak of a trove Twitch‘s data, source code, and internal tools is that we can expect this to happen to just about everybody in the industry. And one of these days, perhaps we won’t have any secrets left.

This week, hackers disclosed that they had penetrated Twitch’s security and had access to just about all of its secrets and they would disclose those secrets. We don’t know if they’re trying to extract blackmail payments from Twitch, but that might be a logical assumption.

Among the secrets that leaked was a list of how much money the top streamers on the livestreaming service made in subscription revenue.

The list showed that 81 Twitch streamers have made more than $1 million on Twitch since August 2019. At the top was Critical Role, a team of voice actors who stream their Dungeons & Dragons gameplay. They made $9.6 million from Twitch payments in the past two years. Making more than $5 million since August 2019 was FaZe Clan co-owner and Call of Duty streamer Nickmercs. All of the top 25 made more than $2 million each over the two years. The BBC reported that a few streamers confirmed that the figures are accurate.

This doesn’t include the money the streamers make on other platforms such as YouTube or how much they make with merchandise sales, sponsorships, and external donations. But the leak did reveal that Twitch takes a 50% share of creator earnings. That’s a pretty big cut considering those creators bring in the 2.5 million concurrent users to Twitch every day.

Above: Hackers, whistleblowers, and ransomware thieves seem like they are winning.

Image Credit: Getty Images

Twitch confirmed the hack was real. It said the data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party. The team is investigating the leak, and it is working urgently to assess the impact. It said it had no indication that login credentials were exposed or credit card numbers were stolen. Still, everybody should be changing their passwords, and Twitch may have to accept the fact that even more of its secrets are going to spill out.

So far, these aren’t extremely shocking leaks of information. But it feels like an inevitable trend. Information wants to be free. Or, rather, the hackers who are able to penetrate big companies want the information to be out in the open. No more secrets.

The Verge reported that Twitch had received warnings from various insiders about safety risks. And in August, anti-diversity hate raids targeted marginalized streamers with hate speech, and Twitch seemed powerless to stop those attacks and protect its own streamers. Streamers organized #ADayOffTwitch protest on September 1 to get the company to do something about the raids.

Twitch wasn’t so popular after this, and the hack triggered a lot of different reactions.

I respect the hell out of content creators – it’s hard work – but looking at the numbers from the Twitch leak NGL it upsets me that so many are making WAY more money than most of the GAME DEVELOPERS THAT MADE THE GAMES THEY STREAM.

— Cliff Bleszinski (@therealcliffyb) October 6, 2021

Other leaks

Other companies that got hacked this year included Electronic Arts and CD Projekt. A whistleblower also leaked a bunch of damning documents at Facebook to the Wall Street Journal, and the whistleblower herself appeared on 60 Minutes to talk about how she believes Facebook puts profits over user safety. And hundreds of journalists working around the world got access to a ton of documents that showed how billionaires hide their wealth from tax authorities around the world.

Twitch itself was hacked in 2015. And some of us remember Sony falling victim to Anonymous hacks and losing its PlayStation Network for weeks.

Pavel Kuznetsov, deputy managing director at cybersecurity technologies at Positive Technologies, said in an email that the attackers could use the source code to identify new vulnerabilities to use in the future as backdoors to the company’s data.

“To prevent breaches like this, organizations need to identify the risks that are most important to the company before attacks happen,” Kuznetsov said. “Build a layered security system that overlaps the ways of realizing these risks by monitoring and countermeasures, and continuously improve this system. In the presence of all three components, the probability of these risks being realized can constantly and steadily decrease.”

Epic v. Apple

Above: Epic Games launched the Free Fortnite Cup with Apple as the villain.

Image Credit: Epic Games

When Epic sued Apple for antitrust violations, we got to see a lot of industry secrets spill into the open as well thanks to court evidence discovery. We learned how much Epic Games paid for exclusives, how Apple executives early on had conversations, how Epic itself had huge security problems even as it accused Apple of failing with security, how Epic planned its lawsuit like a PR campaign, and how one key Apple executive admitted that security for the Mac wasn’t good enough.

And when Epic sued Google for antitrust violations, we saw how Google created contracts with different Android phone makers that controlled whether or not competing third-party stores could be preinstalled on Android phones. After covering the game industry for decades, I feel like I’m only just now starting to understand how the industry really works.

I’m not here to say that all of these secrets damn all of these companies, or that any one of them had the juiciest secrets. Rather, I’m saying that they should operate with the knowledge that one of these days all of their secrets are going to be spilled out into the open.

Paul Martini, CEO of iBoss, said in an email, “Twitch is the latest major player in the video game industry to suffer a breach but almost certainly will not be the last.”

And the more that the industry knows all of this information, the better off everyone will be.

Above: Twitch is the first platform for Players Ntwrk.

Image Credit: Twitch

It feels inevitable. And rather than spending a huge amount of money trying to keep such secrets from spilling out, I think they should think about making their operations more transparent. Companies should operate in a way that withstands the light of day. It’s so hard to protect against hackers when all it takes is a single employee being dumb enough to have a password like “123456789” to make the company vulnerable to hackers. Sometimes suck hacks are inside jobs as well.

We recently did a webinar on game hacking, particularly by those who want to cheat in online multiplayer games. And we’ll be talking about security and the metaverse at our upcoming GamesBeat Summit Next online event on November 9-10.

Twitch itself is going to have a long road ahead in regaining trust and loyalty to its platform, and competitors like YouTube will be recruiting Twitch streamers to defect.

“What happened to Twitch can happen to almost any organization, though their particular service niche likely made them a higher priority target for some groups,” said Bob Rudis, chief data scientist at Rapid7, in an email.

DAOs

Some companies are turning themselves into projects. In the blockchain space, for instance, we are seeing the emergence of decentralized autonomous organizations, or DAOs. These sell crypto tokens to their users, investors, and other parties. And those who hold the tokens have a say in the governance of the DAO. Sky Mavis, for instance, is a game development firm that owns only about 20% of the protocol that runs the Axie Infinity blockchain-based game. The rest is owned by players and investors. And if they want, they could get access to the protocol’s secrets and even have a say about what it does with its treasury, which amounts to $7.5 billion.

Sounds like communism? Maybe so. But transparency is important, and hackers may force that transparent world upon us. Imagine how good a business we could all run, or how good an economy we could all enjoy, if we only had perfect information.