My wife and I can't wrap our brains around the fact that payment info was leaked alongside source code.
Any theories how this happened?
Former pentester btw. I saw a lot of interesting things during my time, but I can't recall seeing a payment database next to a source code repo.
Did their s3 bucket get popped or something?
Even if their github enterprise got popped, that doesn't explain that streamer payouts down to the dollar were leaked. "Oh yeah, I commit all my stripe data into github. It's for compliance /s"
There are several ways why this could have happened.
1) The payment-data were just artifacts left on some file-server or from a process, which was accessible from dev-space.
2) No real systems were accessed and everything, it's all from a bad backup-server or poorly managed worker-pool.
3) Multiple Persons got hacked.
4) Exit-Scam of one or more Workers who just had broad enough access for some reason.
5) Twitch's security is just that bad.
Some notable thing is, the payment-data are quite limited, there are no real private data it seems, and the git-history seems also be missing. It's not sure whether this is on purpose and whether more data will follow. But this overall hints so far that this at least was not a full deep hack.
git commits are a good place to look for passwords/users checked in. unless you specifically prune them. so your current mainline may not have it but the stuff is still there in the commit history chain. so if you have access to that you probably could leverage it into several other systems.
Also a pentester. My guess is they just had really broad access to Twitch's systems, not that card data and source code were together. Given the amount and range of data, wide-ranging access to their infrastructure is the only thing that makes sense to me here.
There are a ton of companies hiring pentesters. Most testers fall into the profession after having worked in other network or IT related professions. A few are free lance, most work for a company or in my case start their own and expand out services. It's not really any different than any other tech job at the end of the day, it just seems glamorous. Don't become a pentester if you're not ready to write extensive reports.. it's probably 75% of the job.
With that, there are tons of specific disciplines you can focus on for pentesting. I'd figure out what excites you and then go for it. Web app is diff than physical exploitation of security systems etc. but some of them cross over.
Another option. Work for the government, join a red team or apply. They'll train you and you'll leave with a new perspective and possibly knowledge you can't get elsewhere.
> if you're not ready to write extensive reports.. it's probably 75% of the job
Do you happen to have a system for building these out? As a techie, I imagine you've tried something like text-expander or similar... but I see a lot of people unsatisfied that they end up building their own tools.
Yes, We have a few tools that fill in based on scan data, with typical points of data, but a lot of what we're doing requires it's presented in a few different perspectives. Generally we provide a couple reports, the Highly Technical (with notes, logs of actions, etc. This can be hundreds of pages, but it's meant to be a reference for the engineering teams fixing what we found. We also sometimes provide full screen captures of the "ops". Second we provide a paired down version of that report with issues and recommendations, usually for the person that's hired us. It includes what we recommend for them to be successful. Finally we provide an Executive report that is designed to be presented by the second report recipient. Usually we've addressed the high level issues, helped with internal requests if possible (IE IT/Security wanted a budget for new firewall, we help boost that with our report as part of future planning etc.) and ultimately this report is designed to give whomever hired us the ability to be the rockstar (we're just the tool).
So all in, there are different tools needed for each report. Fortunately the way we capture the data and notes through out the "op" makes it much easier for the team to put together each part.
There's ways we could automate more, we've even messed with AI writing some of the suggestions and actions based on input. So far though, we still need the humans in the loop.
Honestly the first few reports are hardest, after that you find a process and it becomes much easier.
Wow -- thank you kindly for the thorough answer. It looks like you have the reporting down to a science (given how effective that comment was and how quickly you turned it around! :).
I've seen a lot of professions where in depth reporting still requires humans in the loop, and I think that will always be the case.
There's a small hope I have that one day writing will be a bit more like programming -- as in selecting a 'class' for a structure of a section / paragraph / thesis you want to communicate, which then provides typed functions for potential inputs -> outputs, freeing up human brain cycles for more interesting ideas.
Depends actually, if you just want to do pentesting then probably do some certifications like OSCP, CompTIA, etc. Once you get those its quite easy to land a interview for pentesting.
Initially job may not pay good but you can build your network and then probably start doing contract works. Most of the pentesters I know make more from freelance/contract work then their jobs. Because mostly those contract/freelance work pays on hourly bases. The initial hour rates usually are somewhere between 40-50 USD but they can go to 120-150 with just after few jobs.
P.S - I might have made it sound a very simple or easy profession but its not :)
I would add that the more experience and time you have on the job those contract rates go up exponentially. I would also recommend if you're free lancing that you still do it under an LLC and purchase a liability policy. Too many risks.
For example. In 2012 average consulting hourly rate I charged $350. Stayed booked. 2016 $550. Stayed booked. In 2018 I had a couple really large clients that paid $1500+hr
There's gold in the hills, the trick is to figure out how to sell the pans, water, plots of land, and transportation to them. If you can work in complementary services or referrals for all the above, you just made yourself even more valuable.
Theorypothesis: the pre-Amazon acquisition company had very informal access controls, and Amazon is known for limiting how much change it imposes on acquisitions, so didn't know about this or didn't change to a more corporatey way of controlling access.
I guess if you have access to a build server that you might spy out some access credentials to other venues. Not impossible at least or perhaps some sort of service account was compromised that had access to both. Doesn't mean there was an immediate proximity of these system, although that might also be possible.
I know projects that do or did put their production database credentials, which had full read and write access, in git.
And no, thats not a clever thing to do, neither is there a good reason to do it. But people do things you do not like and theres little you can do about it.
I would like to live in a world where you were right, but I am not. Sadly.
[Edit] dumps though are another thing. Not seen that, yet.
You need to open that link incognito. (If clicking through from HN)
The site you linked to detects if the referrer url is HN and instead displays only an image saying "HACKER NEWS - A DDoS MADE OF FINANCE-OBSESSED MAN-CHILDREN AND BROGRAMMERS" instead of the content you are trying to link too.
Yeah, it looks like there are a lot of hard-coded credentials, and one of those is to a twitch_reports database, which might be where these financial reports came from.
You need to open that link incognito. (If clicking through from HN)
The site you linked to detects if the referrer url is HN and instead displays only an image saying "HACKER NEWS - A DDoS MADE OF FINANCE-OBSESSED MAN-CHILDREN AND BROGRAMMERS" instead of the content you are trying to link too.
If you're using Firefox you can prevent the browser from sending the Referer by going to `about:config` and setting `network.http.sendRefererHeader` to 0.
When new sounds for System 7 were created, the sounds were reviewed by Apple's Legal Department who objected that the new sound alert "chime" had a name that was "too musical", under the recent settlement [with Beatles' record label Apple Records]. Jim Reekes, the creator of the new sound alerts for System 7, had grown frustrated with the legal scrutiny and first quipped it should be named "Let It Beep", a pun on "Let It Be". When someone remarked that that would not pass the Legal Department's approval, he remarked, "so sue me". After a brief reflection, he resubmitted the sound's name as sosumi (a homophone of "so sue me"). Careful to submit it in written form rather than spoken form to avoid pronunciation, he told the Legal Department that the name was Japanese and had nothing to do with music.
I worked for Nokia for a brief moment in time and the Nokia E71 (or another in that line) was internally codenamed "BeeBee" (like: blackberry) which was comical to me given that the phone looked a lot like a contemporary era blackberry.
The E71 was a god tier device. Owned one for a good bit as a teen and it was the perfect phone for that time IMO. You could even WhatsApp on it until relatively recently.
Yep! E71, E72, and E6 were some of my most loved phones. My love of that form factor meant that my first foray into Android was the HTC ChaCha - that was a mistake.
Oh man qtek flashbacks. I had a 5050, great device but good lord the battery life ducked as soon as you connected to anything (and it only had mobile data, no WiFi, unless you put in an sd expansion card). No more battery? Then your data gets wiped
100% agreed, my first smart phone and I still miss some features to this day. Really great. Shame no one makes a physical keyboard attachment or a follow up Blackberry device.
IIRC the whole common HW platform of late model E-series Symbian phones from Nokia was code named BB. Both E61 and E91 call themselves (IIRC) "BB v5.0" in USB descriptors.
It's more than just throwing money at it. EA tried and failed to separate from Steam. Epic might succeed, but it's not going to be because of money, but because Fortnite let them capture young gamers before they got into Steam. Wherever a user gets a critical mass of a library built up first is going to be the winner.
Useful to note that Prime Gaming has been doing the exact same strategy (for longer), backfilling users' catalogs by throwing a lot of money in games giveaways. Once the games have been added to your Amazon/Twitch today you can download an EXE installer from a hard to find Amazon page or use a really bland "Twitch Launcher" app that clearly is the first stage towards "Vapor" or whatever the final brand would be. For a lot of Amazon Prime users that pay attention to the Prime Gaming page month to month and click the bright shiny green "Claim" buttons whenever they show up, Amazon can just go "look at all the games you already 'own'" when they start actually marketing it as its own store.
It ought to be illegal for a 100B+ market cap company to operate in this way. They can just pour money at the problem until the incumbents shrivel up and die. Hyper fucking bad behavior that leaves the true innovators and people that care out in the cold.
On the other hand, it should be possible for consumers to claim products they own on different platforms by peering a list of their their owned (licensed) products.
The early 20th century put a lot of Monopoly and Trust Busting laws on the books that say some of this is illegal, not just "ought to be". What we've lost since then hasn't seemed to be the laws themselves but the willpower to regulate in the spirit of those laws and executive power to enforce those laws.
I wonder how much I paid over the last 15 years for the 198 games in my Steam library. Not that much, I suspect between all the Humble Bundles and steam sales of yore. Nevertheless I was pissed when I had to get Origin in order to even play Mass Effect 3, and I never even considered the epic store, so I think the theory of library investment is sound. Steam has a good head start on a lot of us.
Everybody hated Steam when it was new too and with the frequent Epic game giveaways people will eventually have large catalogs of Epic games they grabbed on a lark. Between that and a number of highly desired sequels being exclusive to the platform I can't see why they wouldn't be able to eventually make inroads.
Do you remember a time when people were predicting this deep pocketed company Microsoft would bomb with their Xbox? It’s not a sure thing that Amazon could dislodge Steam, but there’s precedent.
By better systems, I hope you are also including, to name a few: Remote Play, Remote Play Together, Game Streaming, Screenshot capture, Controller API that also works in Desktop, a project to help Linux compatibility with zero effort from the game devs.
I think people just consider Steam as a store, but it has become much more than that.
Never got as far as Remote Play or Game Streaming but would have been trivial for us to do so given the backend infrastructure we had already written.
Game overlays and capture were working fine, and the controller API was designed to support any number of controllers (Steam's support is great but their interfaces are subpar, in our opinion). We were also able to pull from a well known database of controller configurations and device IDs, which really made this a non-issue.
Linux compatibility was fine as far as the client went (all of our code was cross-platform and not webkit frames or the like). The client even ran on Android and iOS.
If you're referring to Steam's Proton, we really didn't want to touch that area for a while. But we had much better systems for searching for new titles, including those that worked well on the system and also matched all of the criteria (tags and whatnot).
Our social system was also designed to support "cross-talk" between different marketplaces (Steam, GoG Universe and Epic) but we never got as far as building out any client functionality - just the initial blackbox proof of concepts.
The store aspect was indeed just a smaller part of it, though it was complicated in its own right.
The project was a great idea and we were executing well on it. Lots of cool new tech was developed for it. But nobody we talked to wanted it - including publishers, users, investors, or even friends. It didn't matter how compatible we made it, the fact that we didn't push you to re-buy games, etc.
We wanted to make an non-shitty experience for gaming and the market simply said "no".
We definitely thought about it, but decided against it. We've re-used a lot of it in some other endeavors we're working on so we don't really want to share the IP.
Amazon already has customers. If their other products are to go by, they'll just give you an account if you have an Amazon account. Probably combined with free games if you have a prime account and you can imagine that it won't take much to compete, at least not for a company like Amazon.
That was my thought. They already give away free games over Prime, if they leverage that they have already given a large number of people stake in their new market place. Plus they own Twitch, I don't believe there is a publisher who isn't interested in the idea of people being able to impulse buy whatever there favorite streamer is playing without even leaving the stream. The strategy is pretty easy actually, give streamers a cut of each sale and encourage them to put up notifications when it happens like they do subs and cheers.
The free games on prime accounts is probably exactly what will happen, and will probably be what needs to happen for it to be any amount of successful.
Look at Epic which offers free games but sees pretty slow growth outside of their flagships. Further, look at Amazon's lumberyard engine, which gathers dust for the most part.
I'm not convinced that their 'weight' will automatically guarantee wide adoption.
> no users, no publishers, neither want to join without the other
> Amazon will definitely get publishers but will users join?
Well, the publishers will be there. If users have a reason to go there over Steam, they will. Amazon will lock in a few exclusives, people will start to come over. Who knows, maybe there will be some way to verifiably move your Steam library over to an Amazon account?
I don't think the bar to compete with Steam is as high as you're suggesting, but even if it is, if anybody was going to start listing companies that could conceivably do it, Amazon would probably be on the list.
> Who knows, maybe there will be some way to verifiably move your Steam library over to an Amazon account?
The library is the #1 reason people stay in Steam. Lots of people just buy games in other places and just add it there.
Amazon could, for example, offer different royalties (say, 10% instead of 30%) for publishers willing to have their old games "moveable" to Amazon's hypothetical new platform and I bet a lot of studios would take the deal. This is not unheard of: it's how Apple does iTunes Match.
> Who knows, maybe there will be some way to verifiably move your Steam library over to an Amazon account?
Given that steam has pretty strict terms with publishers over this, I highly, highly doubt they would do this unless they wanted to dump a huge ocean of money into free license comps for developers to make money from and for users to get free games.
Competing with Steam isn't only just a money/size thing, though of course that helps.
I would imagine they would attempt to secure exclusive rights to a popular title and only distribute it from their new platform. I believe that is what epic did when they launched their store.
I think Microsoft is just less concerned about hardware now, so it looks like they're doing worse when they're not really.
Like I haven't touched my Xbox One in years, but I'm still giving them $10/month for Xbox Game Pass for my PC.
"In its latest financial results, Microsoft announced that the gaming division revenue was up 50% year-on-year, boasting huge $3.53 billion earnings over the past 12 months. The vast majority of that income stems from Xbox hardware (largely the launch of the Xbox Series X/S), which is up 232%."
- Less generous regional pricing (like on consoles) in exchange for slightly lower overall pricing
- 5% cashback into wallets, like Nintendo eShop
Epic only does some of these things, which is why its struggling. Its lack of social features is a major reason for low engagement on the platform, probably driven by Tencent and Chinese censorship restrictions (in the same way that the Steam forums are unavailable in China).
Exclusives are anti-consumer and doesn't convince users if we follow what Epic did.
It's easy to say "curation/quality control" but to come up with a method and algorithmic way of doing it well is insanely difficult.
Anti-piracy is just called DRM and it's not really foolproof nor always desired. GoG is successful in catering that niche. It also requires a good understanding of reverse engineering hardening, so much easier said than done.
Forums/modding/whatever, yeah sure perhaps "simple" but quite extensive. Even for a large company, code doesn't write itself (well, not any code you want to rely on, at least).
I don't really get the console pricing aspect, sorry.
Cashback isn't a free thing, it's a marketing campaign - even if it runs indefinitely. I don't think that would work by itself, it's a bit of a gimmick.
Epic is struggling because of their anti consumer strategies, aggressive and oftentimes reckless CEO, seemingly constant and very public lawsuits with huge companies, and trying to stay relevant outside of Fortnite.
I agree that lack of social contributed to it but is far from the only problem. For example, Epic doesn't have a cart. It's been a widely requested feature, but they focus on other things.
Tencent is a cancer upon this world and I have little base respect for companies that go with them.
Anyone who played new world private alpha new this, the first alpha (closed) had an amazon games Epic Games like client, they choose to remove it for new world public beta and release but I knew they had been working on it because of it
This is somewhat hilarious. Just 5 days ago I was complaining about Twitch’s new "Only verified users" setting which requires me to give them my phone number. One of the reasons I said I’ll not do that was "hacks, leaks". And now this. Sure, I’ll give you my phone number to add TOTP (Why even?) after I’ve just been shown how secure that data is.
I don't really get this. My phone number is apparently already known by every scammer and spammer on earth, which is why I never answer calls from people I don't know, so what am I losing?
Meanwhile, Twitch has had a significant bot spamming problem.
The fact that they can use this number to correlate against contact lists collected from other people.
Now I don't think Twitch itself is doing this, but they may provide this information to marketing platforms such as Facebook which will use this data for ad targeting (and they definitely have a lot of people's contacts and can infer social graphs very well as a result).
> I don't really get this. My phone number is apparently already known by every scammer and spammer on earth, which is why I never answer calls from people I don't know, so what am I losing?
The only scammers who know my number are my phone-provider and my mom. Other scammers either never call me, or just don't know the number. Protecting your number is possible.
> Meanwhile, Twitch has had a significant bot spamming problem.
Which can be solved without this. The bot-problem is more about people not using the existing tools well and twitch sucking in their handling. Adding another features they won't use will not make anything better. Especially as the phone-number only rises the bar for bots.
You can also restrict to following-age, certified e-mail, and some more. That experienced mods do have little to no problems with bot speaks kinda for itself. Additionally, there are also a bunch of requested features on twitch-side which could had defused the problems even more, without opening the privacy-box.
I’m also subscribed to a few channels. I’m pretty sure that is a far stronger signal that I’m not a bot than getting my phone number. And unlike most people, I only had 2 or 3 spam calls, and maybe 10 spam SMS on the number I’ve had for almost 20 years.
Scam calls just end up ringing every working number these days and if you pick up even once you're already on the list of "real people". Targeted scamming of even just 100,000 potential victims is just wasted effort when with the same setup you could do untarget scamming of 100,000,000 potential victims.
This is a readily solvable problem i.e. the only phone number I use/give online is a VOIP# that just redirects to voicemail immediately (and blocks the call if it's on my SPAMMER list of persistent annoyances).
For friends/family they have my cell# and it only lets calls through if they're in my contacts.
Even though it should not be, this approach is a luxury that can only be afforded by those who do not need to take live calls from previously-unknown numbers. Job hunters, medical patients, etc.
The point isn't to authenticate control of an account, it's to tie the account to some kind of expensive-to-replicate real-world cost, ideally one that most potential customers are already paying for.
Phone numbers are nice because the marginal cost to a customer is low (they probably already have one) while the marginal cost to a bad actor is high (it's expensive to acquire many of them or to change one once it's been identified as malicious).
I use voip.ms and is pay-as-you-go so it's nominal e.g. $1-2/mnth. It allows setting up all sorts of call handling rules (time-of-day, CID lists, call trees).
From what I can see their 2FA is not inhouse. They're using twilio's Authy (first time I've heard of it, honestly) so maybe the phone numbers are not in the leak.
I’m assuming they may have had access to private API keys so unfortunately Authy may not be immune. That is unless Authy hides those details from their customers.
From another site a user commented that it might have proprietary modifications to ffmpeg which is LGPL/GPL (I think?). Would a leak be considered to be distribution, could others legally take these modifications and merge them into the upstream project?
I imagine other free software might have modifications too.
The IP issues with the leak are interesting. There's got to be some Stack Overflow copy/pastes, perhaps some variable name changed license violating code, and I wonder if patent trolls or even rightful patent owners can now sue based on how backend code works in a way where they had no way to sue if they didn't know how it worked from interacting with a frontend.
But seriously, if it takes trolling through the code to determine that Twitch's math violated their special way of doing math that no one else should get to use, it's just more evidence that software patents aren't helping protect or encourage innovation (else the violation would have been apparent from using the service). It would instead clearly be a "hah, gotcha, turns out we patented the linked-list-inside-a-hashmap construction you've got going on here, pay up! Only we can put the Legos together in that way!"
I believe so, and this is why the AGPL was created:
> The GNU General Public License permits making a modified version and letting the public access it on a server without ever releasing its source code to the public.
> The GNU Affero General Public License is designed specifically to ensure that, in such cases, the modified source code becomes available to the community.
Let me add something to be clear. As I understand it, free software was always happy to let you or your company modify and use software for your own use. The philosophy was always about respecting the users of the software, so the licenses don't kick in until someone else uses it. The problem addressed by AGPL is that someone can use your software over a network connection without running it themselves: a loophole in GPL.
Yes, it is valid. Consider for example: If you are an embedded hardware company. You modify GCC to support a new target / platform. Then, you can compile C code and create binaries for your embedded hardware.
As long as GCC is not distributed, this is a perfectly valid use case for GPL'd software.
Less abstract: Facebook famously has massive internal patches for MySQL, which is GPL'd. And of course, Google has massive internal patches for Linux kernel, which is also GPL'd.
The GPL can't actually force them to license their downstream changes, just revoke their ability to use the upstream project if they don't, and sue for infringement for damages.
Just goes to show you how small the top is in streaming. Based on this data, and assuming twitch payouts are about a quarter the average streamer's income, about 300-400 twitch streamers get paid more than the total comp of senior staff engineers where I work. Let's be generous and say that these people have no staff to pay (false assumption, e.g. Pestily has stated that he pays hundreds of thousands on salaries for editors, moderators, social media people, etc.). There are far more people than that at my one company making this kind of money, not to mention all the other big tech companies and startups.
That's just a long way of saying that if you wanna get rich, learn how to write code and talk to people. Way easier than becoming one of the top 3-400 streamers in the world.
Getting paid 7 figures for writing code? That is an anomaly and is not in line with reality. Just doing a cursory Google search for Senior Software Engineer salaries puts the average at ~122k [0], nowhere close to the amount one of those Twitch streamers makes. I wouldn't call it rich either, maybe middle class or upper-middle class at best.
Only someone on this website would call 122k per year middle class. This is why America is divided. Even if you're the only breadwinner in your household this is solidly above the 85th percentile in income. That's practically the definition of upper class.
I think more accurately, it means you either have enough wealth that you don't have to work to maintain your lifestyle, or your income is high enough to support extravagance without going deep into debt.
Bezos doesn't have to work. To be honest, I don't know why he still does. Personally, if the stock options at the startup I work with end up panning out to be worth $5M or more if/when they go public in a few years, I'm taking that cash and retiring at 45. Throwing it into an S&P500 index, I could live off the interest for the rest of my life.
People are generally paid based on how hard they are to replace, not by how much profit they generate. But in some markets, this results in people making terrible wages while the company makes tons of money, ie, Wal-mart and basically all the major fast food chains.
Corporations are so used to applying arbitrary values to ephemeral things on their balance sheets that I think such a mentality seeps over into highly skilled employees in some cases.
In other cases, the business's viability is determined by how many minimum wage (or better yet, off the books entirely) laborers can be obtained in a given week. See: every construction project in every US state, for example.
Some context incase you're not used to Bay Area Big Co. Compensation:
1. Indeed, Glassdoor and other mainstream sites are useless and at best report outdated base salaries. Use levels.fyi or teamblind.com for more realistic data.
2. 50% or more or the compensation at these companies is in RSUs. These companies have performed remarkably well over the past decade. Folks who have had exposure to their stocks as employees have done very well.
3. Half a million dollars a year (before refreshers, etc.) is entirely realistic at the Staff level and at Senior Staff, you're often looking at anything from $700K to low $1MM.
For these companies, the scope and weight of someone at that level of work if impact across millions/billions of users and their actions can make or lose you similar amounts of money.
Remember that this data covers slightly more than two years of payouts. So under my (admittedly low-information) assumptions, streamer #400 gets 750k in revenue annually.
Also, you linked to the wrong job title. I said "senior staff" software engineer, which where I work is two rungs above senior engineer. http://levels.fyi has comp estimates for a bunch of the big tech cos. $750k far from an unreasonable amount for someone to make in this line of work, and plenty of folks make a lot more than that.
I can't help but love the fact that PaymoneyWubby (a fat ginger nerd who makes interesting content, at least on youtube) makes more than pokimaine and Amouranth whose primary feature seems to be young, attractive, and female. Perhaps there's a tiny bit of justice in the world.
I see your point but it's really just a fact of online life that you can make a lot of money as a woman on twitch. That isn't to say that all women streamers are exploiting that fact i.e. aren't making actual content, but it's simply (simp-ly?) a different calculus which I can't really blame anyone who can stomach it for exploiting.
That may be true about amoruanth but Pokimane is genuinely just as content-driven and "gamer" as any of the top (like xqc for instance). There's more to her streams than her looking pretty - the same probably can't be said about amouranth.
Indeed. A comment above also estimated sub money to be ~1/4 of streamer's earnings, but as you mention that can vary quite widely, and in my experience it does quite so for female streamers. Pre-OF sex work is quite a lot like that too, you generally have a few whales making up ~90% of your revenue on cam sites, which is not great. On Twitch too, in my experience looking at "top donators", it's usually just a few handful of people giving big sums to female streamers.
That's being irrationally dismissive of the effort and merit it takes to win in an attention market in a particular way purely because of a personally biased judgement of value.
The real genetic lottery winner on Twitch is being a white male given the relate-ability to the majority of Twitch's audience, and as the data leaked supports.
I mean even consider the cost those creators have to bear of dealing with people who are constantly claiming that their success in somehow invalid.
> Some Twitter users have started making their way through the 125GB of information that has leaked, with one claiming that the torrent also includes encrypted passwords, and recommending that users change their passwords to be safe.
Twitch just asked me to change password for the first time, so it sounds credible.
Its possible, if theres a full database dump that direct messages could also be leaked, which could be incredibly damaging. I'd guess that these would be in another storage medium however.
One wonders. Why are encrypted passwords stored in an external code repository?
I'll be curious as well once this makes it's way to haveibeenpwned. Requested for it to be deleted and forgotten few years back, wont be the first time an account of mine has been "deleted" to then miraculously be hacked or caught up in a leak
That's only a very narrow link though, isn't it? Just lets you claim Prime benefits, doesn't give access to Amazon purchasing or payment details or anything?
If it's any comfort, for some reason twitch uses Xsolla as it's payment processor. That is, you cannot pay for premium twitch with your amazon account.
Looks like passwords were hashed with bcrypt using a cost factor of 10. I wouldn't be too worried for people with good passwords set up even if hashes got leaked. People with common passwords should probably change their passwords just in case though.
Couldn't help but contrast this to another item on the front page.. the irony of video game streamers making many times more than the lifetime earnings of Nobel Prize winners :)
Sports and Entertainment has always been a way to leap frog hard work.
I am not saying at all it is not deserved. I am quite ok with them earning millions. But it does make a lot of us pull this comparison, both in achievements for humanity and in effort spent in their endeavors.
I personally never played or wish to play the fame lottery, I prefer the hard work path.
I am guessing the most popular streamers have gotten where they are by hard work.
Yes some is luck, attractiveness, etc. But that's true in all careers.
Just because they're playing games doesn't mean they aren't working. Athletes get insane amounts of money to play games. They exert themselves more physically, but I expect being a top steamer day in and out isn't a cake walk either.
Yeah, a lot of people, especially younger folks that want to be a streamer, miss the fact that people don't watch streamers just to watch someone play a game, they watch them because the streamer is entertaining.
Unless you're an absolute god at whatever game you're playing, nobody wants to simply watch you play a game. People come for the live commentary and audience interaction.
Being a successful stream takes charisma and cleverness, and being clever and charismatic for 3+ hours straight to entertain your audience can be exhausting.
I think Kobe Bryant working on his free-throws from 4 AM to 8 PM every day for decades is much harder work than some dude making dogecoin over a weekend or minting an AI-generated NFT.
Wealth is not linear, it's not promised as the result of "hard work". Hard work helps, but it isn't the determining factor of whether or not you'll get a payout.
You must work hard in a domain that has public visibility and actually produces something of value to people. And yes, Basketball (and watching it) is extremely valuable to a lot of people.
There are plenty of professions where the people work just as hard as professional sports people. The wealth accumulated has nothing to do with working hard or not working hard, but rather with the public visibility of the outcome of the work (and ability to make money with that).
Many comments saying sports and streaming is hard work. Well, no doubt it is. Many pulling 12h or 16h work days. I agree.
Nevertheless, anyone that manage to have 5+ millions USD in property and savings before they are 30 got to a level of wealth in 10 years that 90% of people will not achieve in a lifetime.
Totally fine. My issue is with the streamers who promote socialism to their fans and say that wealth should be distributed, meanwhile pocketing a huge paycheck. I guess there's a market for stupidity. It's both funny and sad.
I think you'll find most socialists don't care about people having a few million, the issue is those hoarding hundreds of millions, or billions. Of course, I can't speak for everyone.
(TTS donations, 3rd party revenue like OnlyFans, Patreon, Amazon Gifts and sponsorship deals... are not included)
Total gross payout in the leak (2019/8 to 2021/10) was 4.2 billion dollars across 344k users. (based on data points above alone but could be wrong since it's annons on 4chan.)
PS: Make sure to change your Twitch (and possibly Prime) password. Twitch is already prompting users to do so based on Reddit posts.
I don't think it's funny, I think it's sad because most of it comes from the emotional exploitation of parasocial relationships.
Something we used to scoff at in places like Asia, now even casual relationships are utterly commoditized and we taught a whole generation of young humans how that's the most normal thing in the world.
Agreed. I recently started exploring Twitch and in the first hour of just sitting there watching it, I was surprised how aggressively, exploitative it was. The fact that it's young people there exploiting makes it even more gross.
Isn't that the basis of the economy with the increasing wealth gap and so on? It's not really materially different to paying Disney millionaires to go watch the latest Marvel movie.
>It's not really materially different to paying Disney millionaires to go watch the latest Marvel movie.
I feel like it's substantially different, you are paying Disney the money to watch the movie, you don't really care about the actors or other people who worked on it.
On the other hand, twitch users pay for the sake of paying money, it's closer to something like strip clubs.
That's a pretty harsh moral/value judgment on how someone chooses to spend their entertainment money.
What about comedy clubs? If I buy a ticket to see Dave Chappelle, who is clearly wealthy, am I sucker too?
What about paying cover at my local bar because a local band is playing that night?
What about buying tickets to a baseball game, to see a bunch of millionaires play a game for a few hours?
You are making it seem like users get nothing for their money, when there is plenty of established precedent for giving money in exchange for attending a performance.
Sure the performance has changed, but the actual difference here is that these Twitch millionaires (and the rest who are far from millionaires) are literally charging "pay what you can" instead of setting a minimum ticket price for their show. Plenty of people (the majority in fact) get the show for free.
Sorry, I didn't mean that in a derogatory way. I just meant twitch users pay for the sake of giving money to their favorite streamers rather than paying for a product. Strip clubs are the first example that came to my mind, bands or comics also stand. My point was that OP's argument about comparing twitch to movies doesn't make sense because paying for a movie is no different than paying for groceries.
> because paying for a movie is no different than paying for groceries
Groceries are necessary for survival, and limited in quantity.
Movies and streams are similar to each other because they are both video content. And as long as the creator of the stream or the company behind a movie get paid enough to make the content they could’ve received no more money and still gotten by fine.
Streams are a little bit different from movies though because much of the audience is actively engaging in conversation with the creator or making requests to them etc. In that sense a stream has an aspect of limited supply to it that a movie does not. At some point the audience of a stream will be too big for the creator to be able to meaningfully interact with all of them, and at a point after that maybe even too big to be able to meaningfully interact with any of them.
And so if you have a lot of people that want to interact with you it makes sense to prefer interacting with the ones paying you money, and to encourage them to do so. And beyond that, it also makes sense to offer “exclusive” content to people that pay. So OnlyFans makes sense too.
What really has me upset though is thinking of the people that are on the audience, among whom some people have little money but also get so little attention IRL that they are paying someone who already has a lot just to interact with them and maybe even being deluded into thinking that they have some form of “real” relationship with them. That is very sad and something I don’t think has been studied enough and is not being talked about enough.
I sub to twitch streamers I watch because dollar per hour it's the cheapest form of entertainment besides torrenting for me.
There was a stint during the GTA V RP craze I had it on in the background and watched it for approximately 6-8 hours every day. I subbed to one streamer for like 5 bucks.
This averages out to like 2 cents/day for 240 hours of entertainment. Cheaper than netflix, cheaper than cable, cheaper than hulu... You catch my drift. I don't know how this is different than me paying $80 to spend a night out at the movies with my wife, other than it being insanely cheaper?
> I just meant twitch users pay for the sake of giving money to their favorite streamers rather than paying for a product.
I still think this is a narrow view.
So you don't consider a performance to be a product?
How is going to the movies different from going to a baseball game or a concert or a comedy club?
If those are like movies, and movies are like groceries, are we not back to the same point that people are exchanging money for some kind of benefit, whether it's a tangible thing they take home or an experience they enjoy?
I think strip clubs are a fair comparison. All of the things you listed, you pay money for access to the experience. The money changes hands before you get in the door. For both strip clubs and twitch, getting in the door is free. In both cases what you pay money for is the attention of the streamer/stripper in the moment you are giving the money (or just because you feel like giving money to them for the performance you are seeing.)
A less emotionally evocative example might be giving money to a street musician who accepts requests for donations. Either way, the street musician is there performing and you can enjoy the music whether you pay or not. But the money gets you a bonus, and you’re free to give money regardless of desire to request a song.
I'm not sure I agree that "paying money to get attention" is the majority of the monetary interactions on Twitch.
Or at least, maybe that's a welcome side effect but not the main motivation for a lot of people.
I am guessing here, I have no data to back this up, but I feel like a lot of people sub out of gratitude and as a show of support, and less to draw attention or get some kind of shout-out..
I do watch a decent amount of streams on Twitch across a few categories, but I've never subscribed or donated to any of them, so it's possible I'm wrong here.
Also I did make the distinction between paid performances and "pay what you can".. That was indeed my point, that Twitch differentiates itself by being an essentially "pay what you can" service where the majority don't pay anything, but lots of people still manage to make money giving their work away for free.
Groceries are so far outside of paying for any form of entertainment. What does it matter if you pay for a movie or tip a streamer? It's all content meant to be consumed and replaced with more content.
There are three things you need to survive: food, shelter, and love/community.
Entertainment can sometimes provide the last one (love/community) but for the most part it's fulfilling a need for distraction and/or curiosity.
Like with strip clubs, when you give money to a Twitch streamer, you're getting something in return. Twitch subscribers get lots of exclusive access to stuff.
Twitch streams aren't free though. If nobody paid then they wouldn't exist. It's just a voluntaryist model. Those that pay, do, those that can't or don't want to, don't. So I'm not a sucker for choosing to fund a form of entertainment I find valuable.
I treat museums the same way. When I was young and poor my parents didn't pay to get in since it was optional. But now that I'm older and I make good money, I donate extremely well when I go to museums. I know that it's voluntary and I choose to participate in funding it because I enjoy the experience.
Even if no one paid, they would easily exist through ads and sponsorships. Paying a rich person for something free is just bad money management no matter how you rationalize it to yourself.
Do you think the same way with movies? Many movies could probably survive on ad placement revenue alone. Why do you pay to go to the movies? Do you think the same way with buying a laptop? I'm sure you could fund a laptop with ad and bloatware placement, so why do you pay bill gates for a surface book?
If nobody paid to go to the movies, then nobody would want to advertise in those movies, those movies would lose their sponsorships, and stop being made. If everybody unsubbed from netflix right now they would stop funding original content, even though the content they make has ad placements. Why even ask netflix for money if you can just make a wildly successful tv show with ad placements and release it for free?
Why should you pay to go to a football game? Why should you pay to watch a football game? All the players have sponsors. They're all millionaires. Why did our parents pay for cable? Cable had ads, all the actors were millionaires, the cable company owners were millionaires, the production studios were millionaires. You're saying practically everyone who bought cable in the 1990s-2000s was bad with their money because the actors were millionaires and had ad sponsrships? Give me a break.
I just think it's incredibly disingenuous that because someone is leveraging a SLIGHTLY different monetization model that allows for free consumption, that anyone who pays for it is bad with their money. Maybe if you condemned ALL luxury spending with the same energy I could see you're at least being consistent. But this is just more irrational disdain for the new wave of media consumption.
Some people, on the other hand, like to reward others if they enjoy the product/service/performance they provide.
That's the nature of "pay what you can". If money is tight, then don't pay, and don't feel bad about it. But if you have disposable income, and you value the experience, then give what you can as a form of gratitude.
It doesn't need to be said that if everyone took the "it's free so I don't have to pay anything" route, then there would be no show to see.
I mean....sure, I guess, if you're only talking about the top 10 or maybe top 200 streamers.
My favorite twitch streamer, 'x5_pig' (996th highest earner on twitch) only grossed $186,000 over 24 months, and lives in a fairly HCOL area in Australia. I'm happy to give him $5 or so to help make sure that he continues to stream an EOL game, Starcraft2.
Sure, he has other revenue streams as well but I can only imagine the risk he takes by sticking with a game that's been EOL'd. When Blizzard shuts down the servers I imagine he'll have no career left at all and will likely have to start over in a totally different career. I'd be surprised if he could start streaming some other strategy game and maintain enough earnings.
I pay him $5/month to help swing his risk-reward balance in favor of continuing to produce the content that I most enjoy vegetating to after my 12 hour day of coding/troubleshooting/collaborating.
Sure, he has other revenue streams (YouTube, announcing for major tournaments, etc). But I imagine for him it may be important to earn enough over the 10 year life of Starcraft2 to mostly-retire in case he ends up without a "real" career.
In fact, sometimes I wonder whether income tax brackets could potentially include consideration for short-lived high earning careers. Seems it might be slightly broken to tax someone who has a stable $1MM/year income for 30+ years (e.g. car dealership owner) the same % as someone who makes $1MM this year, but next year might be earning $40,000 working at that car dealership (athletes, streamers, windfalls, etc). Seems like it might make sense to allow people to "defer" earnings to future years, as long as income tax is eventually paid in full. This could allow people who unexpectedly earn $1MM for just one year to spread out those earnings over 10 years and pay a more appropriate % as taxes. Not sure what else this could break though, or how much of a problem it really solves vs. other things legislators could be spending time on.
I would assume big streamers are running a business too. At the very least they are paying an accountant and probably lawyer (for incorporation, taxes). I'm sure some are also paying designers, editors, marketers, advertisers, agents, managers, etc.
On youtube you have streamers merging under the same umbrella to create branded channels.
IMO the differences compared to Disney is the scale of the production and the interactive medium (which is constrained by scale). Once you reach a certain scale I don't think you can expect much direct interaction due to the volume of chat. So really it's just scale.
I mean it's not cynical (at least not anymore than your initial comment), it's what we're doing and why I used another entertainment option as a point of comparison.
Of all the things on Twitch the value of Hot Tub streams seem very upfront and I think it's pretty telling that there are vanishingly few successful streamers doing it and that for all the hot air people spew about its a very niche part of the site.
Same as with paying to see a Disney movie: entertainment. It's just a bit more interactive, since streamers are a bit more likely to interact with you after you give them money.
Is there a point you're failing at making? In my mind it's no different than, say, voting for contestants on talent shows, or paying a camgirl, or pay-per-view WWE events. Same thing targeting a different demographic.
I think the word you are looking for is entertainment. You may not appreciate the value of said entertainment, but then I don't really see a merit of donkey shows, Kanye or just about any other entertainment figure. That is the value.
Are you using VHS for said taping? I suddenly wonder if this is one of those anachronistic phrases, or if people no longer use it and you're revealing your age.
To be fair, the number of millionaires is overall pretty low in numbers. Just some few dozen worldwide. Most top-streamers "only" earn as much as upper middle-class or less. Compared to other sketchy businesses, this seems relative ok. Be aware that those numbers are before taxes and are not including expenses, which can be quite high in the top league.
Yeah, it's so absurd it's hilarious. Seeing people make millions of USD for playing games and mentioning others in a live stream made me seriously rethink the value of my own work.
Yeah, and what's wrong with that reaction? I'm supposed to just accept this stuff?
The blue collar workers are right too. They should be getting paid a lot more. Certainly not less than streamers. It's not fair and I refuse to accept it.
Come to think of it, advertisers seem to be a major cause of these distortions. They distort the value of activities that happen to have an audience. Yet another reason to block ads: help restore balance to society by ensuring people are properly rewarded for the actual value of their work instead of how many eyeballs they can summon.
Because that's not the field of work I chose for myself. I do see construction workers on a daily basis though. I also know the owner of a construction company, he's part of my extended family. The wealth disparity between the workers and my family member is obscene. There's no way I'll ever believe they couldn't be paid better wages.
There’s a very large nearly endless supply of laborers that can do this type of work though. The more niche your skill set the higher you can demand in pay. This is economics 101. You are putting this into a moral space that doesn’t reflect economic realities.
It somewhere between "paying to not see ads" (mechanical) to "being a fan and wanting to contribute to them" (parasocial). I don't think most people care if they're a fan of a millionaire - see sports and entertainment celebrities. Looking at things reflexively through a wealth-inequality perspective is done only by a minority of people.
I was watching a streamer the other day and she was doing some stunt because another streamer promised her an iphone 13 pro. But now I realize she could buy hundreds of them! Argh. Here i am waiting two months so i could afford to put a down payment on one.
In streaming case, for whatever reason you want to make a donation to somebody, not doing it because they are richer than you seems very strange to me.
> I wonder if this'll lead to software engineers in big companies having more restricted access to code?
I don't think that Twitch has closed source code because they want to keep code private. It's probably more a matter of don't want to show commit message in case there are some bad words inside it. And don't want to show the world in case their source code look bad.
Twitch without its code source can't work yeah, but imagine if all the commits of Twitch were public I doubt it would change anything for them.
That would be nice if their was a mental change about source code and that it is fine to show it even if it looks shit.
You don't think the largest streaming platform on the planet wants to keep their intellectual property a secret? This isn't about being embarrassed over some comments, it's about completely revealing the algorithms that move streams to the promoted views, limitations of their filtering systems, the time it takes for someone to count as a 'viewer'... there are many pieces that are no longer secret and can now be manipulated by people trying to promote content or game the recommendation system or bypass filtering.
There is also the issue of security. I'm sure people will be combing through the source code to find anything they can exploit, even if it's a simple XSS attack. It could either be sold/used for malicious actions or submitted to the bug bounty program for the reward money.
Doubt they care too much about bad words in commit messages, what they should worry about is if they've ever checked in passwords/secrets/private keys and not re-written the git history
Commit messages that imply anti-competitive behaviour ("Committing a change to the API to lockout competitor XYZ").
Commit messages that imply code theft ("Using a method that we used at my previous company").
etc.
Sometimes things that look sketchy might be innocent but will still cause nightmares for twitch since they'll now have to play defensively as people call into question anything that ever went into the repo.
Dozens? The 4chan post said "almost 6,000 internal Git repositories". We don't use git at work (TFS, yay), and we definitely aren't on their scale, but that seems high to me. Do they have a repo for every class? Is this normal?
I've never worked in this way (when I've been part of the org), is it that common? What are the benefits of making everyone fork repos vs branching off the original repo?
It's common in general open source projects where you might want to send a patch for something that you don't have commit priveleges too, but I've never seen that used in enterprises as they have central auth / groups with the users required to work on the code.
I worked at a large gaming company and that was definitely the collaboration model.
Before per-branch controls, the only way to disable write access (while maintaining read access, pull-request privs, etc) to a repository's blessed branches was forks.
TFS converting to Git/Azure DevOps here. Be the change you want to see in the world! There's a chance that some of the people in your org that don't use TFS could use the organizational tools built into GitHub/GitLab/BitBucket/DevOps. If you get enough teams on board with that platform that also happens to use Git, then you can make that push to IT!
My company has way more than 6,000 devs and each dev creates a git repo as part of our onboarding process and uploads it to our centralized git tool (you create and push a mostly empty test repo as part of the basic training). Just from that, I'd imagine my company has tens of thousands of git repos, although a lot of them probably only have a single file or some random throwaway code.
The number of git repos might look big but without knowing more, the content of most of those repos could be a complete nothingburger. Number of git repos is pretty meaningless metric, IMO.
Note it doesn't say unique git repositories. It could just mean each employee's fork is included in that count, which would inflate the number like that.
It s already the case and actually a big fight we re having (company of 70k employees spread everywhere) because we cant reverse engineer our upstream and downstream systems and it leads to huge bottlenecks trying to understand them when issues arise, as we need other teams etc.
Many of those companies still have a few (not always skilled) IT people with access to everything! And they sometimes make it easy for themselves by putting themselves in 2FA exception groups etc.
Will depend on company back when I worked for British Telecom, some team leaders with wide access to code & data on some projects had to go through Developed Vetting (TS clearance).
Back in the mid 90's there was a issue in Scotland when a well known journalist got a job in a call center and looked up the private telephone numbers for the Queen.
Am I the only one a bit disappointed by the gross earnings for the top 5 earners given how much the media has ben hyping the money made by e-gamers. For some reason I would have thought they would make more money over 2 years. Top earner was grossing $ 9.6M ($4.8M/yr), 10th was $2.9M($1.4M/yr), at 81 you drop below $1M (500k/yr) on twitch pre-tax revenue. After 81 you drop below the %1M over two years threshold.
Actually the more I think about it - that does seem like a lot if you add in their other rev from youtube channels and other compensation. I understand why all the pro players started working on their twitch stream content more than winning competitions. More stable business and viewer base.
A lot of those streamers are pretty open about how twitch revenue is a small portion of their earnings.
Ninja was famously paid $1MM for an 8 hour ad of playing Apex at launch.
I've had private conversation with large streaming friends that have all said independently that the amount they get paid from a short Raid Shadow Legends ad is huge. One said it's enough to buy a nice car, and if they hit their target downloads (w/ link) the number jumps up to enough to buy multiple nice cars.
There is a lot of big money for streamers, not just big streamers.
I saw a thread on twitter as part of this leak that showed chat of a streamer turning down around $1.6 million a month to advertise a gambling website, because another one was paying more.
I'm not surprised by any of this. If you ever did any digging in to how much advertising pays, ran numbers on twitch subs, etc, these numbers match that quite closely.
Number 1 is Critical Roll. Their website lists 24 employees (many of whom are professional actors), and I’m sure there’s more behind the scenes. Salaries add up quickly.
I'm pretty sure that Critical Role isn't the main income for most people.
Also: 4.8M/24 people is still 200k per head. Even if you assume that various costs take 50% of the revenue, they're all still making 6 figures for a thing that's pretty much a side hustle for most of them.
Let's say payroll is half their total costs. Payroll taxes plus income taxes works out to somewhere around 40-60% of the remaining amount. Health insurance is probably in the 10% range per year, leaving them with a $50k salary. Costs are not, of course, quite that high.
As a point of comparison, a talented voice actor can gross around $125k per year, working from home as a freelancer. I don't feel that the Critical Roll actors are being overcompensated at all.
You think an assistant is being paid same as busy TV actors? :)
The most amazing Critical Role fact might be its creation was indirectly financed by Youtube/Google :o. Felicia Day knew all of those guys and about their private DnD game, she invited them to film few episodes for her YT channel "Geek & Sundry". Channel started with $1Mil advance from YouTube Original Channel Initiative, one of the rare if brief successes.
That works out to $200k/year for each employee, which after you account for benefits is a solid middle class income, assuming they don't live in downtown San Francisco or something.
The traditional distribution of social classes historically was something like 90%+ working+lower classes (farmers/craftsmen/factory workers/service jobs/soldiers/etc) 9% middle class (merchants, doctors, lawyers, officers, scholars, managers) and 1% or so of upper class (landlords, aristocracy and capitalists; CEOs and politicians). Middle class grew much larger in mid-20th century USA, exceeding 50% but perhaps that's just a temporary situation that's now reversing as the inequity has been significantly increasing in the last 50 years or so and it looks like in the future middle class might be a minority forever - IIRC current stats would be something like 1-2% of upper class, 45% middle class, and the remaining 53% or so working+lower classes.
If you look at social class stratification, the general assumption is that if you have to work a job for your income, you're not upper class, you're serving in the employment of the upper class. If you have a high paying job, that's defined as "upper middle" social class at least until you have accumulated wealth to transition to a capitalist/owner/investor role (as some popular musicians and athletes do); being in the top 4% of earners is quite reasonable for traditional upper middle class roles e.g. independent lawyers and doctors, which also tend to earn 200k+/year in USA.
It's among the top 4% of income, that's an objective metric. Being in the top 4% of people in one of the wealthiest countries in the world is objectively not middle class.
I don't think you've been keeping up with home prices and insurance costs around the country. $100k take home isn't all that anymore. You're not food stamp poor, but it's easy to be house poor at that income level, especially if you're shooting for a better school district. Health insurance costs eat up so much of that it is not funny, even if you are healthy. If you or someone in your family comes down with an expensive medical condition you'll be in real trouble.
True, these people are all self employed, so insurance costs would be pretty large. If you're making 200k I'd still say you've probably got at least 100 left over after taxes and insurance. That affords you a 600k house using the 30% of income rule if you can get the down payment together.
That is literally the top earner in the community made up by a team of people.
The media/VC etc community has been hyping e-gaming as the new sports domain. That said the top salary for a sports player is $168M / year for one player (Lionel Messi) and number 99 is $35M/year (source: https://en.wikipedia.org/wiki/List_of_largest_sports_contrac...)
It really shows how much of a step change there is between the sports & e-sports and I would be curious how much of this Twitch is keeping to themselves instead of paying out.
Not to mention how much uptime e-gamers have to put in.
Also good to note that most streamers have a side donation system that more then likely isn’t included in these numbers. Donations seem to be generally run through a non twitch third party site. And is probably a substantial increase if not a doubling of their income.
Before commenting on how much revenue this seems to be for the streamer, remember that most streamers hire and maintain staff. Preach Gaming, for example, has 6 full time staff. Angry Joe is somewhere around 8. Critical Roll’s website lists 24 employees, plus more who are likely not credited.
If you squint a bit, that's not that far off of niche pro athlete money (especially given that the bottom end doesn't have the same discrete threshold that pro sports do). Per [0] the best-paid NHL players are making ~$10M/year, and I would expect the NHL to be more efficiently monetized than internet streamers (we know that making money as "talent" on the internet is a tough proposition).
> PS: Make sure to change your Twitch (and possibly Prime) password. Twitch is already prompting users to do so based on Reddit posts.
This is not worth worrying about. If Twitch is making you reset your password, that means you don’t need to hurry because they’ve already locked your account. If your password hash leaked, the important thing isn’t Twitch, it’s every other place you used the same password.
There are downsides to asking people to change their password for everything! (even though this is a big "everything")
I remember some services send you a message telling you to change your password anytime a new device logs in or even fails to login to your account. That causes most people to pick weaker passwords, since they're not all using manager apps.
Cry? Realistically speaking, this isn't going to happen without physical access to your computer or malware, though. So don't leave your computer unattended and don't download sketchy things.
Expecting people to simply memorize a unique, strong password for every single website that they use is unrealistic. Of course, no solution is perfect, but that doesn't mean we shouldn't improve the current situation of people reusing passwords with maybe slight modifications per website.
Outside of the same authentication domain with bad auth token practices (windows) the hash almost always is useless elsewhere. Salting increases the complexity and thus size of hash tables or hash comparison (rainbow tables), but if your manage to break or brute force the entries, salted or not, the secret often is reused by many users.
That's not what salting does, and different hashing methods are irrelevant. The danger of having your hash leaked is that it can be cracked and the plaintext password recovered. The hash itself is entirely useless for logging into other services.
If this is a phrase to unlock a bitcoin account with 1000 bitcoins in it, then you can easily convince people to try and brute force it.
Do you have Amouranth's or xQcOW's salted hash from this leak? Might be worth trying to brute force it.
You try on those kinds of accounts because they might have re-used it or the password might be patterned or not completely random, which gives you a chance that the credential might give you access elsewhere.
If you arbitrarily take $50k as a living wage then it's basically the top 2000 streamers who can make a living on Twitch. Random googling tells me there were approximately 8 million active streamers in September. Again arbitrarily assuming that 7 million of those are 'casual' and doing it for fun that means the percentage of streamers making a living wage is 0.002%.
Back of the napkin math but kinda depressing.
Edit: Someone on Twitter told me that Affiliate status is pegged around the top 3% of streamers. So taking that as my new baseline for "trying to make it" since you can actually get paid out, it raises the percentage to a whopping 0.008%!
Right I take that sort of thing into account by snipping off the vast majority of people active streaming. Basically guessing that only the top million people streaming are actually aiming to make a living wage.
The thing with Twitch streaming is that you can do it from almost anywhere. So, $50k is maybe a bit high for a living wage.
Plus, Twitch is probably just one source of income for many content creators. For many it's not their primary source, but just a side source. YouTube, Patreon, OnlyFans, outside sponsors, or even esports may be where they make most of their money.
This is a, maybe, long way to get to this, but keep with me. I have always been fascinated by understanding what is edible, useful, or "traditionally medicinal" in the natural world around me.
I have spent decades of my life learning about how to use, propagate, and cultivate most plants, animals, fungi, and minerals (not the propagate part here) in an area +/- 100 miles from where I live. I've taught a couple of State University extension classes, and regularly sell at a farmers market the things I gather/grow, just for shits and giggles.
People have asked me for years why I don't do this for a living. Why don't I do that instead of working a job that I am neutral to, but that pays the bills.
Because all of that sounds exhausting. Needing to maintain a presence on so many platforms, interact with so many people, and constantly be thinking about my next thing for all of the various platforms is just exhausting.
I don't know how people can do it without burning out.
So then there's even more pressure to perform, at a higher level even, to pay for the lives of myself at least one other human entirely. I still don't get it.
> The thing with Twitch streaming is that you can do it from almost anywhere. So, $50k is maybe a bit high for a living wage.
The thing is the power law curve is so strong that if we take the top ten thousand which sets a living wage at approximately $11.5k which is definitely not a living wage in a lot of places people stream from then that only improves things to the top 0.04% (of those trying to make it).
> Plus, Twitch is probably just one source of income for many content creators. For many it's not their primary source, but just a side source. YouTube, Patreon, OnlyFans, outside sponsors, or even esports may be where they make most of their money.
If you read the original comment the gross amount supposedly includes 3rd party revenue.
There's no way it includes all 3rd party revenue. Many big YouTubers have a Twitch, and occasionally stream on it, and they maybe make very little on their Twitch but would be near the top of this list from YouTube revenue. Dream, for example.
Insanely high or insanely low? I actually felt kind of weird that I make more as a software engineer than some of these legit celebrities (not the very top ones of course, but still more than many of the ones I follow or have heard of)
Keep in mind this is just what they make which Twitch knows about. Plenty of sponsorships, tournaments and other income streams exist for a majority of these people.
On top of that, besides their eceleb status, most of these people aren't that professional. Plenty of them are a combination of variety or casual, often to a degree the person isn't even that good in games in general.
Their production quality also isn't anywhere near amazing (note it can be both organic and high quality), and other parties (e.g. Hololive) have shown how easily the space can be disrupted. For those curious, notice how many top streamers still lack actual high quality audio (mostly from their own lack of voice training rather than equipment), proper schedules and sticking to those schedules, high quality video when applicable (e.g. bad light), allow themselves to get devolved in politics, allow their streams to go majorly off-track in general, etc. It's not like these guys don't have the means to drastically improve it.
And the obvious: we don't have anywhere as much of a shortage of people willing to play games in an extremely dedicated manner as doing software development.
The other thing for comparison to traditional jobs is the hours worked. Most streamers I follow work insane hours. Then the other bits and pieces they have to pay for themselves. For example taxes employers would otherwise cover and things like health insurance in the US.
On production quality, I think it's a mistake to think it matters too much. Live streaming is a different thing to television. In very much the same way Roblox is different to AAA games.
There's also a level outside of the more chaotic personalities who make a lot of money in spite of themselves where there is a lot of professionalism going in to making things seem pretty casual because these people know their audience.
The hours worked is all over the place really. Some of the top streamers don't work anywhere close to 40 hours or past it. Others grind 10 hours a day for almost every day of the year (often burning out a few years later). A lot of the top streamers do a combination of taking sporadic breaks, streaming only 3-4 hours a session, etc.
The other problem with looking at hours worked is it's hard to quantify sporadic interactions on multimedia and the likes. Arguably the biggest drain, most of these people are always "online" and have a hard time unplugging themselves. This is further exasperated by the momentum loss most streamers perceive when not streaming for a long while.
>On production quality, I think it's a mistake to think it matters too much
But we don't really know that yet. It's extremely hard to quantify all these variables and what truly matters. What we do know is many people in these circles have fallen to the side since they were unable to keep up with the modicum of effort newcomers put in despite their lack of resources and despite the first-mover advantage these old-timers had. At the same time, we see other parties break through with new concepts while putting in a ton of effort to market and PR themselves, and it worked, as seen with the Hololive example. The top earner is (apparently) also much more professional than the majority of the top 10/100/N.
>Live streaming is a different thing to television
If anything, this is the biggest problem. If beginners are expected/advised to put in much more effort and resources to (increase their odds of) breaking through compared to before, why is it acceptable for someone earning a Silicon Valley-equivalent salary while living in a much lower CoL area to stream in a dank basement or attic with poor audio quality? This isn't a criticism as much as a question. Maybe it doesn't matter. But it's also the question which makes people wonder "should they be earning as much as they do?"
I hope I didn't misread the numbers but to my understanding it's just what they get from twitch directly (ads/subscriptions share), most streamers probably make significant amounts in donations on top of that, and probably have secondary revenue streams via YouTube (stream highlights etc.)
Depends on your local legislations, but be careful that by default on torrents you are also sharing those files to others so you are also distributing stolen material, so it may have an impact on your potential "crime".
I saw the payout pastebin, but i'm very curious what the amazon vs stream cut is for sub revenue in particular. This is the key thing steamers negotiate with twitch over, and is covered by the nda.
rumor was recently negotiations have been very cut and dry for newer big/up and coming streamers basically being told to take some algorithmically assigned cut or give up partner status.
Number of subs is often known, and the relative size of channels is known. Unless someone's going to be surprised that someone with double the viewers makes double the money, I doubt there will be any surprises.
There are a few outliers in this data. Some streamers with smaller viewer bases are making more because of exclusivity deals, so I imagine there will be a little bit of drama.
Different contracts between Twitch partners have different levels of ad density, as well as differing amounts of cuts of subs/bits taken by Twitch. It's pretty negligible though, and could have been kinda estimated previously. For example, Hasanabi is claimed to have one of the lowest ad density requirements on twitch (1 60 second ad per 1 hour of broadcast, plus 3 minute ad at end of broadcast) which does line up with him making less than multiple streamers with less subs than him (and with probable higher ad densities required by contract).
Yeah, this has nothing per se to do with exclusivity though. (As in, XX months exclusivity to Twitch. For those who don't know, every common partnered streamer already is exclusively bound to Twitch for livestreaming content. If he wants to stream somewhere else, he loses his partnership. (And yes, there are exceptions, old contracts, ...))
And "premium contracts" to keep talent were offered pretty much since day 1, just looked quite different back then. (Mainly just differentiated in sub share. For the last 2-3 years they also include better ad payouts (and a minimum of ad time), boni for minimum amount of hours streamed, etc.))
And... every streamer who only cares a bit about his business already knows, at least for the most part, what kind of contract other streamers are on.
So don't think there will be any (real) drama - but I also didn't see or hear of any extreme unexpected outliers.
I think a lot of the general public / viewer base is not aware of how much money streamers are really making. And I would guess other streamers have a sense but not total amounts. We will see...
I was under the impression that Twitch streamers were able to be directly tipped by viewers (as opposed to being paid by the view or something by some centralized payment distribution point) and so while there would of course be a correlation on viewers to income, the variance is going to be high... some people are going to be much better at monetizing their user base than others, and I would at least expect the streamer's charm, business model, and audience targeting to swamp a mere 2x difference in viewers.
Highly doubtful. Anyone who was already making money from twitch knows how the payment system works and can guess how much someone else makes based on views/subs. Anyone not on the inside already had access to website that gave close enough estimates.
>the leak was intended to “foster more disruption and competition in the online video streaming space” because “their community is a disgusting toxic cesspool”.
Mmm... well, if you're received what you consider to be toxic interactions on twitter, reddit and even here, but not on 4chan, have you considered that the common factor is perhaps not that all of these platforms are toxic...
...but that your views are considered problematic by quite a lot of people?
Perhaps that could be some cause for self reflection before you universally declare the entire platform here hostile and toxic.
> your views are considered problematic by quite a lot of people
What I consider problematic is the fact these people will organize massive efforts on Twitter to ruin other people's lives because they posted wrongthink. They make the 4chan raids I've seen look amateurish.
Indeed. There is some downright grotesque "malice" in Twitter cancel-culture efforts. It's really strange they are not self-aware and call 4chan (~last bastion of free speech) toxic.
Yeah, 4chan is toxic and savage, but at least they are honest and humane in a candid kind of way.
Yeah. 4chan is supposed to represent people's unfiltered thoughts, what people really think when freed from social consequences. This produces a wider spectrum than what most people are used to seeing, both good and bad.
While 4chan posters occasionally get organized and manage to operate outside their borders, these incredibly malicious activities just aren't something I associate with them. They're the specialty of groups like kiwi farms who are responsible for the suicide of at least one video game console emulator developer. I was shocked when people told me about byuu's suicide here on HN.
People on 4chan will call you slurs and insults but it is never personal, part of it is due to the anonymous nature. People here will be personally vicious and hostile.
> ...but that your views are considered problematic by quite a lot of people?
You do not know what my views are. It's as if you are trying to prove me right honestly. (btw, I am not posting on reddit nor on twitter, nor 4chan for that matter)
Plus the same could be said for the toxic interactions that you had on there.
> Perhaps that could be some cause for self reflection before you universally declare the entire platform here hostile and toxic.
Again, same thing for you. "Perhaps that could be some cause for self reflection before you universally declare the entire platform there hostile and toxic."
There's a difference between vicious mockery of a company and its founders on a single website, and having randos holding knives knocking on people's windows.
This is patently ridiculous. The biggest boards on 4chan, particularly /pol/ have widespread support for the genocide of Jews, black people, Muslims and women. Well maybe not all women, a more common view is instead that they should be enslaved to men. This kind of correction should give an idea of what kind of ideas are popular there.
Of course 4chan is not just /pol/ but it is the biggest board, and together with /b/ contribute to plenty of hateful content as I mentioned. The culture between boards is different but /pol/ refugees in particular have been spreading to other boards for several years now and it's very annoying because even if a small group of them decide to visit a board regularly then they can ruin the culture because of relative sizes between the boards. Reddit and Twitter have their own problems, particularly with echo chambers but the biggest subreddit on reddit isn't spewing anywhere near the same kind of shit as the biggest board on 4chan does.
Go to any board, /lit/, /g/, /fa/ (maybe less so), will all have a thread or two that you will be able to tell are directly influenced by /pol/ posters. Some boards call them out, most don't.
maybe on streamers with less than 50 viewers. every twitch stream i've seen the chat is easily 100x more toxic than any HN thread. ridiculous comparison
Real question - why does it matter to you? If that's how people want to spend their time and money, and it makes them feel good, even if they look foolish, what does it matter to you?
I'm really bad at woodworking, but I do it a lot, and I've spent a crap load of money on it. Does that matter at all to anyone else in the world?
Our societies do regulate how people can spend their time and money in certain regards. I don't think that's necessarily wrong. Smoking is banned, some countries have labeling for unhealthy products, and so on. Things can end up affecting other people in the long run, so I don't think it's unreasonable to contemplate addressing stuff like this.
I think the main issues overall are encouraging parasocial relationships, and also the problem of selling sex to kids. I'm no prude but I think it raises some ethical questions when you have gaming content and sexual content in the same spot. If I had kids, that would matter to me.
Hmmm. I thought I had something in Firefox (setting or addon) that didn't send referrers for external sites when you click-opened a link in a new tab. But it doesn't seem like it anymore.
If you're going to download it, I would probably use a VPN or something before you do. Technically, this would be copyright infringement. I don't know if Amazon would go after people downloading this, but you just don't know.
it depends which legislation you reside in, I believe most allow you downloading stuff like that as long as you don't reshare (uploading and sharing is the part where Amazon could go legally after you)
In the US, you're fine. The laws that exist barring possession of information largely revolve around copyright, CSAM, or classified information (only relevant if you have a clearance), and none of those really apply here.
There is fair use exceptions? I'm no expert here but Google says,
Since copyright law favors encouraging scholarship, research, education, and commentary, a judge is more likely to make a determination of fair use if the defendant's use is noncommercial, educational, scientific, or historical.
The revenue only contains a few data points (below), things like TTS donations, 3rd party revenues like OnlyFans, Patreon, Amazon Gifts and sponsorship deals are not included. Amouranth makes insane amounts from her OF alone (an estimate of 1 million $ per month based on an interview with investmenttalk). Odds are that she makes far more than him, same with a lot of other female streamers who know how to monetize themselves. Obviously the same (Patreon, sponsorships...) applies to male streamers but to a lesser extent.
Oh yeah of course, twitch is probably a minority of her earnings. But what I think is more interesting is that Twitch's moves to make it easy for advertisers to opt out of streamers like her doesn't seem to have hurt her earnings all that much if she's still that high. Ofc it could be that ad revenue went down but sub revenue was way higher, which, again, is telling. Also could be that ad buyers didn't blink and continued paying for the hot tubs category. I think it points to a more plausible future for softcore streaming - there might be a market for stuff that's less explicit than camgirls, especially if that makes it easier for kids to access it. (I don't condone this, just think it's interesting.)
Prices for ads is very poor on twitch. The claim was that amouranth made "just" some ten thousand income with ads, which considering how many viewers she has is not that high. The majority of direct income on twitch comes from donations and subs. The bigger income comes indirectly from placements and cooperations outside of twitch, which of course are not part of the leak.
Twitch is not YouTube. For some reason they had for a long time big problems to get their ad-business running, especially outside the USA. It seems because of this the payment is low for streamers.
Until Steam has a couple major screw ups, potential competitors better have tons of capital to keep throwing at their platform-in-waiting! Amazon does have the $$$, but they also have hungry shareholders that won't wait like they used to. Gamers by-in-large quite like the platform Gabe has built.
I guess they could tie it to Amazon Prime (like they did with Prime video) and just let Prime cutomers download any game on the platform without paying extra.
Prime Gaming has been giving "free games" to people for years. They already have a huge "back catalog" for some users in the weird bare bones "Twitch Launcher". Expanding that into a full store wouldn't be the hardest play for them; if anything the surprise is that they've been so slow to do that.
The EA one comes to mind, which was recent. They had access to the source of a number of games, including unreleased ones as well as the Frostbite engine if I recall correctly.
https://www.bbc.co.uk/news/technology-57431987
I don't understand it: these companies have enormous funding, an army of employees, and they can't provide the service reliably (both regarding consistency and safety). What all these coders do all day? I'm asking as an uninformed party of course. But it looks to me like these are companies that build bridges, and their bridges are collapsing all the time.
What do you mean? You think all coders are security engineers? All code has dependencies, often dozens of them. You might just need a single vulnerability in a trusted third party library to allow this to happen. These are humans creating these products. I would say that SPECIALLY because of the size of these products, vulnerabilities are inevitable.
> What do you mean? You think all coders are security engineers?
Now, imagine using that argument when a bridge falls down. "What do you mean? You think all the bridge builders were safety engineers? Bridge components rely on different dependencies, often dozens at the same time. You just need one point of failure and boom, it collapses. These are humans creating these bridges. I would say that SPECIALLY because of the size of these bridges, collapses are inevitable."
Comparing bridges to a streaming service is nonsensical, frankly.
People die when bridges collapse. People get mildly inconvenienced if twitch is slow or down.
Accordingly bridge construction takes security & safety much more seriously throughout the project. And it's orders of magnitude more expensive to build and check bridges for safety issues, etc.
But it's still true that each individual contractor in a bridge project is not a bridge integrity engineer. I was replying to GP who said
> What all these coders do all day?
Implying that all coders have to care about everything in their stack. Putting the blame of UX devs or data engineers for the platform to be offline doesn't make any sense. Even hiring more platform engineers doesn't necessarily fix this issue. Like when building a bridge, you avoid this problem with good architecture.
Your analogy would be more accurate if the bridges were constantly being blown up by terrorists.
Designing perfectly secure online systems is very hard (if not impossible).
Software is very complex, and people are trying to break in constantly. It only takes one person to get lucky or find a vulnerability
Uninformed point of view - I'd be curious the split of that army of employees, since the money isn't in keeping the lights on, it's in sales and feature development. Stability is rarely the forethought unless it's there from day one. It probably takes a lot of money and human hours to keep the streamers engaged, and far less to watch Grafana dashboards.
Because so much of programming is written at a high level, most coders don’t know what the hell they are doing. Maybe the level of abstraction achieved makes it impossible to know.
Edit: One of the reasons is that because there are a very few people (probably) who do the low level stuff, there aren’t enough eyes on the code and a lot of vulnerabilities left in production.
Software companies are maybe incentivised to hire a lot of programmers who can start delivering on day 1. This wouldn’t be possible without the convenience afforded by high level languages.
Here's a link to the data: bWFnbmV0Oj94dD11cm46YnRpaDpONUJMWjZYRUNORUhIQVJISk9WUUFTNFc3VFdSWENTSSZkbj10d2l0Y2gtbGVha3MtcGFydC1vbmUmdHI9dWRwJTNBJTJGJTJGb3Blbi5zdGVhbHRoLnNpJTNBODAlMkZhbm5vdW5jZQ==
I'm very curious to have a peek but isn't downloading stolen material a crime? And wouldn't this be compounded by the fact that with torrent systems you are also helping redistributing it further?
At most, it would be copyright infringement if Twitch (or Amazon) claimed copyright ownership of the code, which I assume they do.
There's no such "trade secrets" laws or anything like that you're violating. Perhaps the hacker has broken laws of unlawful access (i.e. hacking), but you certainly aren't just by downloading it. It's as bad as downloading a song or streaming a movie on a sketchy website. In practice, I've never heard of anyone getting sued for downloading code in a large leak.
When the Windows source code got leaked, so many people looked at it, including FAANG engineers. As long as you don't bring any of that stuff to work you're fine. That includes the knowledge[0]
Possibly, but more importantly it is also just plain immoral. It's disturbing how readily this community wishes to access, analyze, copy, and redistribute this stolen information. This same community that bemoans corporate exploitation of data now getting its rocks off creeping on stolen data.
Can anyone confirm how the revenue data is split?
It looks like its split in the folders by YEAR -> MONTH -> DATE, however there are only folders for days 3-8 in each of the month folder.
Looks like someone is uploading and organizing all of the information on GitHub. Stumbled upon it and haven't seen anyone mention it. Thought you guys might be interested.
Most comments listing which streamers earn more, commenting on this being only part of their revenue, etc.
Would be way more interest to me to know the distribution of people giving away their money. I personally spend about $20 a month on Twitch, I wonder in each part of the bell curve I am, and if it is a bell curve at all.
Managed git services suck at providing security that scales beyond a few devs. Most orgs that use GitHub are exposed to the risk of having their source code leaked by current or past employees.
I'm hoping this leak will have serious financial consequences and bring awareness to that.
In case anyone wants some practical advice to harden your github access control to lower the blast radius, a good friend (and disclaimer my co-founder of a relevant stealth mode startup) wrote a nice blog post about it: https://blog.arnica.io/afraid-of-your-source-code-leaking-i-...
It's our first blog post (and we really tried to avoid making it look like blog spam as it's not intended to be blog spam) so please be gentle (but still brutally honest)
Every time this happens (which feels like almost every week already) I feel sorry for the people whose data leaked but a part of me says "good, perhaps another case will add to the critical mass and the society will finally realize amassing personal data in digtal databases is madness". Everything which can should be anonymized, the rest should only save the essential data needed to fulfill its very function. Whatever is not digital yet should never be.
Based. Lot of streamers gonna feel some blowback on this. Not that it should matter but supposedly there’s a bunch that lie to their chat about the income they generate.
It's illegally obtained information, sensitive information, about thousands of individuals and their personal businesses. I don't think its appropriate, and I would hate to be on that list right now.
Isn't this the exact argument search engines have been fighting for years in relation to piracy? The data hasn't been provided, a link to the data has been provided
Morally I wont be using any of the data. The data however is out whether you roadblock access to it or not.
The chances of you stopping someone who's nefarious enough to use the data but so non-technical that they can't find a magnet link is so low it wasn't worth me typing this sentence about it
It’s not about stopping anyone, and it doesn’t matter what are people are doing. It’s about making a choice about what we want to stand for and then acting on that. And that’s a choice.
> Twitch is aware of the breach, the source said, and it’s believed that the data was obtained as recently as Monday.
Does that mean that Twitch has very poor security systems that the entire infrastructure and data of Twitch was breached and it all fell into the hands of this so-called hacker?
Compared to the Epik breach weeks ago, this one is a lot worse.
I don't know what the point around this breach is for but surely the so-called hackers that have done this have now made matters worse for all Twitch streamers now. That was Part 1.
From what I understand there was a way to access their internal enterprise github instance, which gave them access to all the source code, and a bunch of internal documents and database dumps.
Twitch likely stores a lot of payment information too, i don't see why they would be better secured than anything else in this dump. Could get interesting
>Top earner is a role playing group. How interesting.
A group of professional voice actors who put on a real show every week, with extremely high production quality. A real standout on the list and well deserving of the #1 spot.
I've always loved the spells in D&D that talk to plants. "You imbue plants within 30 feet of you with limited sentience and animation, giving them the ability to communicate with you and follow your simple commands."
Every casting of the spell is a Flowers For Algernon tragedy, as the plants around you realize they will only be sentient for 10 minutes and then fade back into nothingness.
That depends on your definition of sexual. If you have someone in underwear with the sole purpose of arousing people of the opposite sex, that is pretty sexual to me.
The microphone ear licking channels are definitely more sexual than many "NSFW" subreddits.
What actually defines porn? It's hard to say, but you know it when you see it. Spend 5 minutes watching any of the ear lickers on the front page of twitch and make your mind up for yourself. I find it hard to come to the conclusion that it's not porn.
It's sarcasm my dude. Twitch is notorious for giving female streamers a pass when it comes to nudity or inappropriate behavior, all the while banning male members for accidentally clicking on a NSFW link and it being shown on steam for seconds.
A channel I mod got a 1-day suspension because you could see the crack of a drunk guy mooning them (despite instantly stopping the stream and deleting the VOD before starting again). A few weeks before, two girls flashed them. That obviously did not warrant a ban.
HN is vastly concerned about privacy and screaming about FB transgression on these issues etc., but the top post here is about disseminating private information of 10's of thousands of people.
You can't put the toothpaste back in the tube. It's out there now, might as well examine what you can learn from it and discuss it.
FB is a business making conscious and deliberate decisions and can be called out on it in part because things like this can happen. I mean they just made such a massive goof that they completely took down their own site, other massive sites they owned, and locked their own employees out of their buildings just two days ago for almost a full day. They can certainly screw up and be victim to a leak like this as well.
> might as well examine what you can learn from it and discuss it.
Thats the sort of high minded thing that WE might do here, but I worry about how this data is going to be weaponised against a whole bunch of people just trying to make a living from things they're passionate about.
I'm not a streamer (yet?) but I kind of see Twitch as this haven for a bunch of people who, until the advent of streaming, didn't really have an outlet, or an easy way to find like minded people, let alone (in some cases) make a living. I used to write off Twitch as a crazy fad that didn't make any sense to me. Then I spent a bit of time on there and realised what an awesome bunch of people (mainly) inhabit that place.
I feel very sorry for anyone caught up in this who goes onto experience some of the inevitable downsides. I can just see morons in the chat on various streams constantly bringing up how much the streamer earns (or doesn't earn) etc.
Oh no, I definitely feel bad for the people who had their data leaked and worry what some malicious people will do about it, but posting about it on HN isn't going to change that.
I've done a tiny bit of streaming myself at some point, and keep meaning to do a bit more. I'll never have any significant following, but it's a cool website. It sucks that's it's gotten out there, but it's too late, it's out.
Might as well satisfy my morbid curiosity of how much some streamers are making on that site, which is about all I'm doing with this data.
This is the same logic that a lot of people used during The Fappening. If we think it is immoral to steal this data then we should not condone people copying it and analyzing it as that's just benefiting from someone else doing the dirty work for us.
Information is subject to Supply and Demand like everything else.
We don't publish the names of victim of certain crimes, and they are not widely known even if they are leaked, thus significantly limiting the damage. Information about how to make 'violent things' with easily acquired materials, certain recruiting videos for 'very bad groups' aka ISIS etc. - all of this is out there on some level but because it's actively not propagated, the likelihood of it having an impact is reduced.
We shouldn't be publishing individual's income, or the private source code of normal, legit private groups.
at least that table above doesn't reveal much you couldn't have estimated from their official twitch page to begin with and I don't really consider earnings that private (neither do most of the top streamers by the way who tend to display their sub count on their streams).
People on HN probably would very much oppose leaking private DMs but transparency on celebrity earnings is not exactly that big of a deal. I'd actually like earnings transparency in general, like it already exists in Sweden.
Given that children's rights on the internet seem to be a hot topic, this might give some of them an idea who they're giving their hard earned money to.
My wife and I can't wrap our brains around the fact that payment info was leaked alongside source code.
Any theories how this happened?
Former pentester btw. I saw a lot of interesting things during my time, but I can't recall seeing a payment database next to a source code repo.
Did their s3 bucket get popped or something?
Even if their github enterprise got popped, that doesn't explain that streamer payouts down to the dollar were leaked. "Oh yeah, I commit all my stripe data into github. It's for compliance /s"
EDIT: If you want to see how much everyone's making: https://www.reddit.com/r/LivestreamFail/comments/q2gooi/twit...