Twitch, the popular, Amazon-owned streaming platform, is contending with an unprecedented hack of its website. On the morning of Oct. 6, an anonymous 4chan user published a 235 GB torrent file that included Twitch’s source code, creator earnings details, and other confidential information.
The leak does not appear to include personal information on Twitch streamers and viewers, like user IDs or passwords; a lot of what was made public is centered on internal Twitch documentation. Twitch says that it’s still working to understand the scale of what was stolen, and that the company will update streamers and Twitch community members with more information when it’s available. Here’s what we know right now.
What was stolen in the Twitch breach?
The leaked information shared on Wednesday includes three years’ worth of creator earnings payouts, going back to 2019. This data has been collated online and encompasses the top 10,000 streamers. A number of streamers, on social media and elsewhere, have confirmed that these numbers match their internal Twitch analytics, but some say their numbers are off.
Hackers also say they’ve got access to “commit history going back to [Twitch.tv’s] early beginnings,” which means that there could be saved “snapshots” of each iteration of Twitch as far back as its creation. Source code, too, for Twitch’s mobile, desktop, and console clients has also been made available online, as has “code related to proprietary SDKs and internal AWS services used by Twitch,” according to The Verge. Data for other Twitch properties, like video game database IGBD and mod management system CurseForge, has also been leaked alongside security tools and files related to a reportedly in-development Steam competitor codenamed Vapor, designed by Amazon Game Studios.
According to Vice, information shared in the leak is not particularly “sensitive,” at least to Twitch; the information shared is more harmful to streamers themselves.
As reported by The Verge, the information published Wednesday is labeled “part one,” which implies that more hacked data may be available. Twitch has not yet commented specifically on the data that’s been stolen.
So, should I change my password?
The short answer here is yes, you should change your password, even if there is little evidence suggesting that personal Twitch account information — aside from creator earnings — has been compromised. It’s possible that the Twitch hacker has more information, however, that could include personal information, including passwords and other sensitive data.
Twitch has not addressed user safety, though some Twitch users logging into the streaming platform Wednesday have reported being asked to change their passwords. It’s also generally recommended to enable two-factor authentication if you haven’t already — this step will make it harder for others to gain unauthorized access to your account, thus protecting any information in there.
Why do people care about creator earnings?
Twitch streamers who earn money from the platform are largely secretive about how much they make, and that’s because anyone who has signed a contract with Twitch is reportedly barred from sharing that data. It’s no secret that Twitch streamers make money through a variety of avenues, including subscriptions, donations, ads, and exclusive contracts. Curious parties can just add up the number of subscribers a person has to ballpark a streamer’s revenue in that area: Subscriptions start at $4.99 and revenue is split with Twitch. Most streamers get a 50% cut of the subscription price, but Twitch does allow some streamers to negotiate different splits.
But this list of creator earnings is significant because this type of data has never been uncovered before at this scale. Among other things, the information here shows a major disparity between Twitch’s top streamers and the tens of thousands of streamers who struggle to find an audience. The breach has also sparked conversations about Twitch’s donation structure, which encourages viewers to “tip” streamers beyond their monthly subscription.
However, it’s not entirely clear what encompasses these numbers. The Washington Post reported Wednesday that the leaked earnings data appears to be a “composite of money made off ads, subscriptions, and other features,” — leaving out any brand deals, YouTube earnings, merchandise, or donations made outside of Twitch. The numbers listed appear to total untaxed earnings made since 2019.
The top channel listed as part of these earnings documents is Critical Role, the Dungeon & Dragons role-playing channel where professional voice actors play through a campaign. It was created by Overwatch voice actor Matthew Mercer. The second highest earner, per these leaked documents, is Félix “xQc” Lengyel, a controversial Canadian streamer and former Overwatch pro player. In total, these documents suggest 81 streamers have made more than $1 million from Twitch since 2019, with the top 10 Twitch earners receiving, in total, at least $49,993,651 in those three years.
The earnings report, per the unconfirmed document, also highlights disparities in Twitch’s gender pay gap. The majority of the streamers listed within the top 100 are men; only three creators listed there are women — only one of whom is a woman of color, Kotaku reported Wednesday.
How are streamers reacting?
Naturally, the Twitch hack is a major topic on Twitch itself. Plenty of top streamers have opted to discuss payout earnings on streams throughout the day, many of which are poking fun at the money rankings: For instance, political commentator and streamer Hasan “HasanAbi” Piker titled his stream “#13 WEALTHIEST STREAMER ON THE PLANET,” commenting on his place on the earnings list to more than 44,000 viewers. Imane “Pokimane” Anys, streaming to more than 20,000 viewers, titled her stream in a similar way: “#39 reporting for duty” and joking on Twitter that “at least people can’t over-exaggerate me ‘making millions a month off my viewers anymore.’”
She continued: “I capped my donations a year ago since I’m not at a point where sponsors, investments, and exclusive contracts can sustain me. Transparently, subs + stream ads are the lowest part of my income and I want you guys to continue keeping that money in your pocket.”
The anonymous leaker, in the 4chan post with the hacked information, called Twitch’s community “a disgusting toxic cesspool,” and said the leak is intended to “foster more disruption and competition in the online video streaming space.” The leaker closed the message with a hashtag, #TwitchDoBetter, a reference to a social media campaign started in August designed to highlight harassment Black streamers face on the platform.
Some streamers expressed frustration over the leaker using the #TwitchDoBetter hashtag. The hashtag was created in August in response to an increase in “hate raids” on the platform. Hate raiders misuse Twitch’s raiding feature — which lets a streamer migrate their viewers over to another stream — and send large amounts of toxic viewers or bots to marginalized streamers, especially, Black streamers, queer streamers, women streamers, and streamers of color. Twitch has since sued two people for allegedly leading hate raids. Later in September, Twitch announced new features created to curb harassment on the site, including a feature that requires Twitch viewers to verify a phone number before being able to use chat functionality.
To say there is a rift between Twitch streamers and the company is an understatement. Streamers are frustrated by a perceived lack of responsibility and security from the company — particularly its lack of protections for marginalized streamers — and Wednesday’s hack only adds to that existing frustration.