Hate raids could make a redoubled resurgence on Twitch following the hack that dumped 125 gigabytes of the platform’s data on 4chan.
A member of Twitch’s development team told Shack News that the leaked data included the complete operating code for Twitch’s AutoMod, which is one of the first lines of defense for keeping harassment out of creators’ chat rooms.
The developer, whose identity was kept concealed, said the code’s availability will make it “easier to figure out how to circumvent.”
Subscribe for daily Tubefilter Top Stories
“This will make hate raids that much harder,” they said. “People can read how the tools moderate, if you can read the secret sauce, you can work around it.”
Twitch creators–specifically marginalized Twitch creators–have been dealing with hate raids for months now. These attacks weaponize Twitch’s raiding feature, using it to bring dozens, hundreds, or even thousands of bot accounts into creators’ streams. These bot accounts then auto-spam hateful, harassing, and often racist messages.
Within the last two months, raids became so severe that some creators organized a blackout protest that noticeably dented Twitch’s traffic. Not long after, Twitch confirmed it was (and is still) working on more ways to handle hate raids.
Then, last month, Twitch filed suit against two users it said were instrumental in organizing many of the raids. According to filings in the ongoing lawsuit, Twitch tried to cull the users’ efforts by banning their accounts, but they got around bans by constantly “creating new, alternate Twitch accounts, and continually altering their self-described ‘hate raid code’ to avoid detection and suspension by Twitch.”
If Shack News’ source is correct and bad actors manage to get hold of Twitch’s AutoMod code, that will make it immeasurably harder for the platform to automatically slow or stop hate raids, leaving creators with little choice of defense except turning off the raid feature altogether or manually banning bots one by one mid-stream if they are hate raided.
Twitch says users’ login credentials likely not leaked, resets creators’ stream keys just in case
Twitch does not yet know the full extent of the data leak, but has said it does not believe users’ login credentials or full credit card numbers (which are not stored by Twitch) were compromised.
In an update posted late last night, Twitch attributed the hack to “an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.”
Our investigation is ongoing, and we are in the process of analyzing all of the relevant logs and data to assess actual impact. For an update see https://t.co/mp8wndXv03
— Twitch (@Twitch) October 7, 2021
(It is worth mentioning here that the dev who talked to Shack News about hate raids also expressed doubt that the hack was entirely external. They said that in order to access the GitHub account that contains Twitch’s code, “I have to hop through [two-factor authentication], a VPN, a pin, and a biometric key on my laptop. […] I do not see how to get in remotely.”)
Thus far, Twitch has moved to protect users by resetting content creators’ stream keys–unique, lengthy sequences of letters, numbers, and symbols used to give broadcasting software access to Twitch channels.
The platform didn’t say whether it believes stream keys were included in the data dump; it just said the reset is being done “out of an abundance of caution.”
Creators should have received an email from Twitch overnight with directions for getting their new stream keys. Anyone who didn’t can get their new key by going to their Twitch dashboard and selecting Settings —> Stream.
Streamers using OBS, Twitch Studio, Streamlabs, Xbox, PlayStation, and Twitch Mobile App to broadcast should not have to do anything outside of entering their new key, Twitch said. Some other softwares might require a few extra steps of manual setup.
