(Photograph: Lionel Bonaventure/AFP/Getty Images)
An anonymous hacker leaked the entirety of Twitch via a 125 GB torrent link on 4chan at around 12am yesterday. Twitch confirmed the data breach 8 hours later. The leak included (and Twitch is still determining the extent of the leak so this list is not exhaustive):
Twitch properties
- Twitch’s source code for all of its clients, whether on desktop or mobile;
- The “entirety of Twitch.tv”, “with comment history going back to its early beginnings”;
- Code relating to Twitch’s proprietary software, such as their Software Development Kits (SDKs), internal Amazon Web Services (AWS) services, internal security tools (called ‘red teaming’, where staff pretends to be hackers) and other properties (e.g. IGDB, CurseForge);
Streamers’ Personal Data
- Pay-out information for Twitch’s top 10,000 streamers over at least the past 3 years;
- some user IDs and passwords for popular Twitch streamers.
The hacker allegedly carried out the hack to “foster more disruption and competition in the online video streaming space”. The hack may have done just that. Although Twitch has obtained numerous patents relating to various aspects of its streaming service, with its source code out in the open, theoretically anyone could replicate its services in places where Twitch does not have patent rights. Twitch may also have trouble proving patent infringement at home if entrepreneurial (or opportunistic) software engineers carefully toe the line between copying and inventing.
Also, the leak contained a significant amount of personal data. The most eye-catching being streamers’ income, such as the US$ 8.4 million payout to Canadian streamer and former Overwatch pro-player “xQcOW” (see picture below, which has recently been widely circulated, for reference). This prompted some backlash from fans who accuse certain streamers of pretending to be ‘down-to-earth’ when in fact they had sky-high earnings.
Such an unanticipated leak of sensitive personal information (PI) could cause reputational damage to such streamers, who may choose to take legal action against Twitch (whose estimated revenue was US$2.3 billion in 2020). After all, there are other streaming platforms out there, with possibly more to come.
It also remains to be seen whether Twitch had breached any data security and privacy laws on a governmental and/or contractual level. It is inconceivable how such a massive leak could have occurred without tripping any alarms. As the investigation goes on, we may discover weaknesses in Twitch’s security systems that failed to adequately encrypt or otherwise protect personal information (PI). Twitch’s 8-hour delay in confirming the breach likely won’t help them either, as there are usually notification requirements in place for PI breaches that carries a risk of harm to the affected individual (e.g. due to the sensitivity of the information or the probability of misuse).
Links:
https://www.theverge.com/2021/10/6/22712250/twitch-hack-leak-data-streamer-revenue-steam-competitor
https://www.videogameschronicle.com/news/the-entirety-of-twitch-has-reportedly-been-leaked/
https://www.theguardian.com/technology/2021/oct/06/twitch-hack-data-breach-gaming-platform
Check out theVideos of Interest to Law 423 on YouTube 
Communications Law
Join the Community!