Massive data breach “seemed inevitable”.
Following this week’s massive Twitch data breach – in which everything from site source code to streamer payouts were apparently leaked – a new report has accused the company of fostering a culture that values “speed and profit over the safety of its users and security of its data.”
That’s the claim made by The Verge, whose sources suggest this week’s data breach “seemed inevitable” based on their time working at Twitch, alleging a company culture “where employees were very concerned about safety but management less so.”
“There would be constant questions and discontent about the regular moderation failures,” a source told the publication, noting the company would respond to issues raised “very slowly.” As The Verge puts it, “If [a feature] wasn’t generating revenue, then it wasn’t valued as highly.”
One safety concern flagged by staff related to Twitch’s controversial raid feature, which has been in headlines recently after malicious users began exploiting it – setting up dummy accounts and bots to flood the chats of often marginalised streamers and subject them to doxing, harassment, and attack in a practice known as “hate raiding”.
Employees are said to have highlighted potential safety issues and opportunities for abuse relating to raids prior to launch “just by virtue of their name alone”, but management reportedly prioritised releasing the feature quickly over addressing concerns.
According to another source, Twitch has routinely opted not to disclose security issues it has faced, such as an unreported security flaw from 2017 that enabled scammers to contact streamers and request revenue sharing from Twitch Prime subscriptions, resulting in Twitch accounts being connected to compromised Amazon accounts – an issue said to remain a potential attack vector even now.
Twitch has at least acknowledged its most recent security breach, blaming the incident on “an error in a Twitch server configuration change that was subsequently accessed by a malicious third party”. Although the company’s investigation is ongoing, it says that while “some data” was exposed, it has found “no indication” user login details have been leaked.