My wife and I can't wrap our brains around the fact that payment info was leaked alongside source code.
Any theories how this happened?
Former pentester btw. I saw a lot of interesting things during my time, but I can't recall seeing a payment database next to a source code repo.
Did their s3 bucket get popped or something?
Even if their github enterprise got popped, that doesn't explain that streamer payouts down to the dollar were leaked. "Oh yeah, I commit all my stripe data into github. It's for compliance /s"
There are several ways why this could have happened.
1) The payment-data were just artifacts left on some file-server or from a process, which was accessible from dev-space.
2) No real systems were accessed and everything, it's all from a bad backup-server or poorly managed worker-pool.
3) Multiple Persons got hacked.
4) Exit-Scam of one or more Workers who just had broad enough access for some reason.
5) Twitch's security is just that bad.
Some notable thing is, the payment-data are quite limited, there are no real private data it seems, and the git-history seems also be missing. It's not sure whether this is on purpose and whether more data will follow. But this overall hints so far that this at least was not a full deep hack.
git commits are a good place to look for passwords/users checked in. unless you specifically prune them. so your current mainline may not have it but the stuff is still there in the commit history chain. so if you have access to that you probably could leverage it into several other systems.
Also a pentester. My guess is they just had really broad access to Twitch's systems, not that card data and source code were together. Given the amount and range of data, wide-ranging access to their infrastructure is the only thing that makes sense to me here.
There are a ton of companies hiring pentesters. Most testers fall into the profession after having worked in other network or IT related professions. A few are free lance, most work for a company or in my case start their own and expand out services. It's not really any different than any other tech job at the end of the day, it just seems glamorous. Don't become a pentester if you're not ready to write extensive reports.. it's probably 75% of the job.
With that, there are tons of specific disciplines you can focus on for pentesting. I'd figure out what excites you and then go for it. Web app is diff than physical exploitation of security systems etc. but some of them cross over.
Another option. Work for the government, join a red team or apply. They'll train you and you'll leave with a new perspective and possibly knowledge you can't get elsewhere.
> if you're not ready to write extensive reports.. it's probably 75% of the job
Do you happen to have a system for building these out? As a techie, I imagine you've tried something like text-expander or similar... but I see a lot of people unsatisfied that they end up building their own tools.
Yes, We have a few tools that fill in based on scan data, with typical points of data, but a lot of what we're doing requires it's presented in a few different perspectives. Generally we provide a couple reports, the Highly Technical (with notes, logs of actions, etc. This can be hundreds of pages, but it's meant to be a reference for the engineering teams fixing what we found. We also sometimes provide full screen captures of the "ops". Second we provide a paired down version of that report with issues and recommendations, usually for the person that's hired us. It includes what we recommend for them to be successful. Finally we provide an Executive report that is designed to be presented by the second report recipient. Usually we've addressed the high level issues, helped with internal requests if possible (IE IT/Security wanted a budget for new firewall, we help boost that with our report as part of future planning etc.) and ultimately this report is designed to give whomever hired us the ability to be the rockstar (we're just the tool).
So all in, there are different tools needed for each report. Fortunately the way we capture the data and notes through out the "op" makes it much easier for the team to put together each part.
There's ways we could automate more, we've even messed with AI writing some of the suggestions and actions based on input. So far though, we still need the humans in the loop.
Honestly the first few reports are hardest, after that you find a process and it becomes much easier.
Wow -- thank you kindly for the thorough answer. It looks like you have the reporting down to a science (given how effective that comment was and how quickly you turned it around! :).
I've seen a lot of professions where in depth reporting still requires humans in the loop, and I think that will always be the case.
There's a small hope I have that one day writing will be a bit more like programming -- as in selecting a 'class' for a structure of a section / paragraph / thesis you want to communicate, which then provides typed functions for potential inputs -> outputs, freeing up human brain cycles for more interesting ideas.
Depends actually, if you just want to do pentesting then probably do some certifications like OSCP, CompTIA, etc. Once you get those its quite easy to land a interview for pentesting.
Initially job may not pay good but you can build your network and then probably start doing contract works. Most of the pentesters I know make more from freelance/contract work then their jobs. Because mostly those contract/freelance work pays on hourly bases. The initial hour rates usually are somewhere between 40-50 USD but they can go to 120-150 with just after few jobs.
P.S - I might have made it sound a very simple or easy profession but its not :)
I would add that the more experience and time you have on the job those contract rates go up exponentially. I would also recommend if you're free lancing that you still do it under an LLC and purchase a liability policy. Too many risks.
For example. In 2012 average consulting hourly rate I charged $350. Stayed booked. 2016 $550. Stayed booked. In 2018 I had a couple really large clients that paid $1500+hr
There's gold in the hills, the trick is to figure out how to sell the pans, water, plots of land, and transportation to them. If you can work in complementary services or referrals for all the above, you just made yourself even more valuable.
Theorypothesis: the pre-Amazon acquisition company had very informal access controls, and Amazon is known for limiting how much change it imposes on acquisitions, so didn't know about this or didn't change to a more corporatey way of controlling access.
I guess if you have access to a build server that you might spy out some access credentials to other venues. Not impossible at least or perhaps some sort of service account was compromised that had access to both. Doesn't mean there was an immediate proximity of these system, although that might also be possible.
I know projects that do or did put their production database credentials, which had full read and write access, in git.
And no, thats not a clever thing to do, neither is there a good reason to do it. But people do things you do not like and theres little you can do about it.
I would like to live in a world where you were right, but I am not. Sadly.
[Edit] dumps though are another thing. Not seen that, yet.
You need to open that link incognito. (If clicking through from HN)
The site you linked to detects if the referrer url is HN and instead displays only an image saying "HACKER NEWS - A DDoS MADE OF FINANCE-OBSESSED MAN-CHILDREN AND BROGRAMMERS" instead of the content you are trying to link too.
Yeah, it looks like there are a lot of hard-coded credentials, and one of those is to a twitch_reports database, which might be where these financial reports came from.
You need to open that link incognito. (If clicking through from HN)
The site you linked to detects if the referrer url is HN and instead displays only an image saying "HACKER NEWS - A DDoS MADE OF FINANCE-OBSESSED MAN-CHILDREN AND BROGRAMMERS" instead of the content you are trying to link too.
If you're using Firefox you can prevent the browser from sending the Referer by going to `about:config` and setting `network.http.sendRefererHeader` to 0.
When new sounds for System 7 were created, the sounds were reviewed by Apple's Legal Department who objected that the new sound alert "chime" had a name that was "too musical", under the recent settlement [with Beatles' record label Apple Records]. Jim Reekes, the creator of the new sound alerts for System 7, had grown frustrated with the legal scrutiny and first quipped it should be named "Let It Beep", a pun on "Let It Be". When someone remarked that that would not pass the Legal Department's approval, he remarked, "so sue me". After a brief reflection, he resubmitted the sound's name as sosumi (a homophone of "so sue me"). Careful to submit it in written form rather than spoken form to avoid pronunciation, he told the Legal Department that the name was Japanese and had nothing to do with music.
I worked for Nokia for a brief moment in time and the Nokia E71 (or another in that line) was internally codenamed "BeeBee" (like: blackberry) which was comical to me given that the phone looked a lot like a contemporary era blackberry.
The E71 was a god tier device. Owned one for a good bit as a teen and it was the perfect phone for that time IMO. You could even WhatsApp on it until relatively recently.
Yep! E71, E72, and E6 were some of my most loved phones. My love of that form factor meant that my first foray into Android was the HTC ChaCha - that was a mistake.
Oh man qtek flashbacks. I had a 5050, great device but good lord the battery life ducked as soon as you connected to anything (and it only had mobile data, no WiFi, unless you put in an sd expansion card). No more battery? Then your data gets wiped
100% agreed, my first smart phone and I still miss some features to this day. Really great. Shame no one makes a physical keyboard attachment or a follow up Blackberry device.
IIRC the whole common HW platform of late model E-series Symbian phones from Nokia was code named BB. Both E61 and E91 call themselves (IIRC) "BB v5.0" in USB descriptors.
It's more than just throwing money at it. EA tried and failed to separate from Steam. Epic might succeed, but it's not going to be because of money, but because Fortnite let them capture young gamers before they got into Steam. Wherever a user gets a critical mass of a library built up first is going to be the winner.
Useful to note that Prime Gaming has been doing the exact same strategy (for longer), backfilling users' catalogs by throwing a lot of money in games giveaways. Once the games have been added to your Amazon/Twitch today you can download an EXE installer from a hard to find Amazon page or use a really bland "Twitch Launcher" app that clearly is the first stage towards "Vapor" or whatever the final brand would be. For a lot of Amazon Prime users that pay attention to the Prime Gaming page month to month and click the bright shiny green "Claim" buttons whenever they show up, Amazon can just go "look at all the games you already 'own'" when they start actually marketing it as its own store.
It ought to be illegal for a 100B+ market cap company to operate in this way. They can just pour money at the problem until the incumbents shrivel up and die. Hyper fucking bad behavior that leaves the true innovators and people that care out in the cold.
On the other hand, it should be possible for consumers to claim products they own on different platforms by peering a list of their their owned (licensed) products.
The early 20th century put a lot of Monopoly and Trust Busting laws on the books that say some of this is illegal, not just "ought to be". What we've lost since then hasn't seemed to be the laws themselves but the willpower to regulate in the spirit of those laws and executive power to enforce those laws.
I wonder how much I paid over the last 15 years for the 198 games in my Steam library. Not that much, I suspect between all the Humble Bundles and steam sales of yore. Nevertheless I was pissed when I had to get Origin in order to even play Mass Effect 3, and I never even considered the epic store, so I think the theory of library investment is sound. Steam has a good head start on a lot of us.
Everybody hated Steam when it was new too and with the frequent Epic game giveaways people will eventually have large catalogs of Epic games they grabbed on a lark. Between that and a number of highly desired sequels being exclusive to the platform I can't see why they wouldn't be able to eventually make inroads.
Do you remember a time when people were predicting this deep pocketed company Microsoft would bomb with their Xbox? It’s not a sure thing that Amazon could dislodge Steam, but there’s precedent.
By better systems, I hope you are also including, to name a few: Remote Play, Remote Play Together, Game Streaming, Screenshot capture, Controller API that also works in Desktop, a project to help Linux compatibility with zero effort from the game devs.
I think people just consider Steam as a store, but it has become much more than that.
Never got as far as Remote Play or Game Streaming but would have been trivial for us to do so given the backend infrastructure we had already written.
Game overlays and capture were working fine, and the controller API was designed to support any number of controllers (Steam's support is great but their interfaces are subpar, in our opinion). We were also able to pull from a well known database of controller configurations and device IDs, which really made this a non-issue.
Linux compatibility was fine as far as the client went (all of our code was cross-platform and not webkit frames or the like). The client even ran on Android and iOS.
If you're referring to Steam's Proton, we really didn't want to touch that area for a while. But we had much better systems for searching for new titles, including those that worked well on the system and also matched all of the criteria (tags and whatnot).
Our social system was also designed to support "cross-talk" between different marketplaces (Steam, GoG Universe and Epic) but we never got as far as building out any client functionality - just the initial blackbox proof of concepts.
The store aspect was indeed just a smaller part of it, though it was complicated in its own right.
The project was a great idea and we were executing well on it. Lots of cool new tech was developed for it. But nobody we talked to wanted it - including publishers, users, investors, or even friends. It didn't matter how compatible we made it, the fact that we didn't push you to re-buy games, etc.
We wanted to make an non-shitty experience for gaming and the market simply said "no".
We definitely thought about it, but decided against it. We've re-used a lot of it in some other endeavors we're working on so we don't really want to share the IP.
Amazon already has customers. If their other products are to go by, they'll just give you an account if you have an Amazon account. Probably combined with free games if you have a prime account and you can imagine that it won't take much to compete, at least not for a company like Amazon.
That was my thought. They already give away free games over Prime, if they leverage that they have already given a large number of people stake in their new market place. Plus they own Twitch, I don't believe there is a publisher who isn't interested in the idea of people being able to impulse buy whatever there favorite streamer is playing without even leaving the stream. The strategy is pretty easy actually, give streamers a cut of each sale and encourage them to put up notifications when it happens like they do subs and cheers.
The free games on prime accounts is probably exactly what will happen, and will probably be what needs to happen for it to be any amount of successful.
Look at Epic which offers free games but sees pretty slow growth outside of their flagships. Further, look at Amazon's lumberyard engine, which gathers dust for the most part.
I'm not convinced that their 'weight' will automatically guarantee wide adoption.
> no users, no publishers, neither want to join without the other
> Amazon will definitely get publishers but will users join?
Well, the publishers will be there. If users have a reason to go there over Steam, they will. Amazon will lock in a few exclusives, people will start to come over. Who knows, maybe there will be some way to verifiably move your Steam library over to an Amazon account?
I don't think the bar to compete with Steam is as high as you're suggesting, but even if it is, if anybody was going to start listing companies that could conceivably do it, Amazon would probably be on the list.
> Who knows, maybe there will be some way to verifiably move your Steam library over to an Amazon account?
The library is the #1 reason people stay in Steam. Lots of people just buy games in other places and just add it there.
Amazon could, for example, offer different royalties (say, 10% instead of 30%) for publishers willing to have their old games "moveable" to Amazon's hypothetical new platform and I bet a lot of studios would take the deal. This is not unheard of: it's how Apple does iTunes Match.
> Who knows, maybe there will be some way to verifiably move your Steam library over to an Amazon account?
Given that steam has pretty strict terms with publishers over this, I highly, highly doubt they would do this unless they wanted to dump a huge ocean of money into free license comps for developers to make money from and for users to get free games.
Competing with Steam isn't only just a money/size thing, though of course that helps.
I would imagine they would attempt to secure exclusive rights to a popular title and only distribute it from their new platform. I believe that is what epic did when they launched their store.
I think Microsoft is just less concerned about hardware now, so it looks like they're doing worse when they're not really.
Like I haven't touched my Xbox One in years, but I'm still giving them $10/month for Xbox Game Pass for my PC.
"In its latest financial results, Microsoft announced that the gaming division revenue was up 50% year-on-year, boasting huge $3.53 billion earnings over the past 12 months. The vast majority of that income stems from Xbox hardware (largely the launch of the Xbox Series X/S), which is up 232%."
- Less generous regional pricing (like on consoles) in exchange for slightly lower overall pricing
- 5% cashback into wallets, like Nintendo eShop
Epic only does some of these things, which is why its struggling. Its lack of social features is a major reason for low engagement on the platform, probably driven by Tencent and Chinese censorship restrictions (in the same way that the Steam forums are unavailable in China).
Exclusives are anti-consumer and doesn't convince users if we follow what Epic did.
It's easy to say "curation/quality control" but to come up with a method and algorithmic way of doing it well is insanely difficult.
Anti-piracy is just called DRM and it's not really foolproof nor always desired. GoG is successful in catering that niche. It also requires a good understanding of reverse engineering hardening, so much easier said than done.
Forums/modding/whatever, yeah sure perhaps "simple" but quite extensive. Even for a large company, code doesn't write itself (well, not any code you want to rely on, at least).
I don't really get the console pricing aspect, sorry.
Cashback isn't a free thing, it's a marketing campaign - even if it runs indefinitely. I don't think that would work by itself, it's a bit of a gimmick.
Epic is struggling because of their anti consumer strategies, aggressive and oftentimes reckless CEO, seemingly constant and very public lawsuits with huge companies, and trying to stay relevant outside of Fortnite.
I agree that lack of social contributed to it but is far from the only problem. For example, Epic doesn't have a cart. It's been a widely requested feature, but they focus on other things.
Tencent is a cancer upon this world and I have little base respect for companies that go with them.
Anyone who played new world private alpha new this, the first alpha (closed) had an amazon games Epic Games like client, they choose to remove it for new world public beta and release but I knew they had been working on it because of it
This is somewhat hilarious. Just 5 days ago I was complaining about Twitch’s new "Only verified users" setting which requires me to give them my phone number. One of the reasons I said I’ll not do that was "hacks, leaks". And now this. Sure, I’ll give you my phone number to add TOTP (Why even?) after I’ve just been shown how secure that data is.
I don't really get this. My phone number is apparently already known by every scammer and spammer on earth, which is why I never answer calls from people I don't know, so what am I losing?
Meanwhile, Twitch has had a significant bot spamming problem.
The fact that they can use this number to correlate against contact lists collected from other people.
Now I don't think Twitch itself is doing this, but they may provide this information to marketing platforms such as Facebook which will use this data for ad targeting (and they definitely have a lot of people's contacts and can infer social graphs very well as a result).
> I don't really get this. My phone number is apparently already known by every scammer and spammer on earth, which is why I never answer calls from people I don't know, so what am I losing?
The only scammers who know my number are my phone-provider and my mom. Other scammers either never call me, or just don't know the number. Protecting your number is possible.
> Meanwhile, Twitch has had a significant bot spamming problem.
Which can be solved without this. The bot-problem is more about people not using the existing tools well and twitch sucking in their handling. Adding another features they won't use will not make anything better. Especially as the phone-number only rises the bar for bots.
You can also restrict to following-age, certified e-mail, and some more. That experienced mods do have little to no problems with bot speaks kinda for itself. Additionally, there are also a bunch of requested features on twitch-side which could had defused the problems even more, without opening the privacy-box.
I’m also subscribed to a few channels. I’m pretty sure that is a far stronger signal that I’m not a bot than getting my phone number. And unlike most people, I only had 2 or 3 spam calls, and maybe 10 spam SMS on the number I’ve had for almost 20 years.
Scam calls just end up ringing every working number these days and if you pick up even once you're already on the list of "real people". Targeted scamming of even just 100,000 potential victims is just wasted effort when with the same setup you could do untarget scamming of 100,000,000 potential victims.
This is a readily solvable problem i.e. the only phone number I use/give online is a VOIP# that just redirects to voicemail immediately (and blocks the call if it's on my SPAMMER list of persistent annoyances).
For friends/family they have my cell# and it only lets calls through if they're in my contacts.
Even though it should not be, this approach is a luxury that can only be afforded by those who do not need to take live calls from previously-unknown numbers. Job hunters, medical patients, etc.
The point isn't to authenticate control of an account, it's to tie the account to some kind of expensive-to-replicate real-world cost, ideally one that most potential customers are already paying for.
Phone numbers are nice because the marginal cost to a customer is low (they probably already have one) while the marginal cost to a bad actor is high (it's expensive to acquire many of them or to change one once it's been identified as malicious).
I use voip.ms and is pay-as-you-go so it's nominal e.g. $1-2/mnth. It allows setting up all sorts of call handling rules (time-of-day, CID lists, call trees).
From what I can see their 2FA is not inhouse. They're using twilio's Authy (first time I've heard of it, honestly) so maybe the phone numbers are not in the leak.
I’m assuming they may have had access to private API keys so unfortunately Authy may not be immune. That is unless Authy hides those details from their customers.
From another site a user commented that it might have proprietary modifications to ffmpeg which is LGPL/GPL (I think?). Would a leak be considered to be distribution, could others legally take these modifications and merge them into the upstream project?
I imagine other free software might have modifications too.
The IP issues with the leak are interesting. There's got to be some Stack Overflow copy/pastes, perhaps some variable name changed license violating code, and I wonder if patent trolls or even rightful patent owners can now sue based on how backend code works in a way where they had no way to sue if they didn't know how it worked from interacting with a frontend.
But seriously, if it takes trolling through the code to determine that Twitch's math violated their special way of doing math that no one else should get to use, it's just more evidence that software patents aren't helping protect or encourage innovation (else the violation would have been apparent from using the service). It would instead clearly be a "hah, gotcha, turns out we patented the linked-list-inside-a-hashmap construction you've got going on here, pay up! Only we can put the Legos together in that way!"
I believe so, and this is why the AGPL was created:
> The GNU General Public License permits making a modified version and letting the public access it on a server without ever releasing its source code to the public.
> The GNU Affero General Public License is designed specifically to ensure that, in such cases, the modified source code becomes available to the community.
Let me add something to be clear. As I understand it, free software was always happy to let you or your company modify and use software for your own use. The philosophy was always about respecting the users of the software, so the licenses don't kick in until someone else uses it. The problem addressed by AGPL is that someone can use your software over a network connection without running it themselves: a loophole in GPL.
Yes, it is valid. Consider for example: If you are an embedded hardware company. You modify GCC to support a new target / platform. Then, you can compile C code and create binaries for your embedded hardware.
As long as GCC is not distributed, this is a perfectly valid use case for GPL'd software.
Less abstract: Facebook famously has massive internal patches for MySQL, which is GPL'd. And of course, Google has massive internal patches for Linux kernel, which is also GPL'd.
The GPL can't actually force them to license their downstream changes, just revoke their ability to use the upstream project if they don't, and sue for infringement for damages.
Just goes to show you how small the top is in streaming. Based on this data, and assuming twitch payouts are about a quarter the average streamer's income, about 300-400 twitch streamers get paid more than the total comp of senior staff engineers where I work. Let's be generous and say that these people have no staff to pay (false assumption, e.g. Pestily has stated that he pays hundreds of thousands on salaries for editors, moderators, social media people, etc.). There are far more people than that at my one company making this kind of money, not to mention all the other big tech companies and startups.
That's just a long way of saying that if you wanna get rich, learn how to write code and talk to people. Way easier than becoming one of the top 3-400 streamers in the world.
Getting paid 7 figures for writing code? That is an anomaly and is not in line with reality. Just doing a cursory Google search for Senior Software Engineer salaries puts the average at ~122k [0], nowhere close to the amount one of those Twitch streamers makes. I wouldn't call it rich either, maybe middle class or upper-middle class at best.
Only someone on this website would call 122k per year middle class. This is why America is divided. Even if you're the only breadwinner in your household this is solidly above the 85th percentile in income. That's practically the definition of upper class.
I think more accurately, it means you either have enough wealth that you don't have to work to maintain your lifestyle, or your income is high enough to support extravagance without going deep into debt.
Bezos doesn't have to work. To be honest, I don't know why he still does. Personally, if the stock options at the startup I work with end up panning out to be worth $5M or more if/when they go public in a few years, I'm taking that cash and retiring at 45. Throwing it into an S&P500 index, I could live off the interest for the rest of my life.
People are generally paid based on how hard they are to replace, not by how much profit they generate. But in some markets, this results in people making terrible wages while the company makes tons of money, ie, Wal-mart and basically all the major fast food chains.
Corporations are so used to applying arbitrary values to ephemeral things on their balance sheets that I think such a mentality seeps over into highly skilled employees in some cases.
In other cases, the business's viability is determined by how many minimum wage (or better yet, off the books entirely) laborers can be obtained in a given week. See: every construction project in every US state, for example.
Some context incase you're not used to Bay Area Big Co. Compensation:
1. Indeed, Glassdoor and other mainstream sites are useless and at best report outdated base salaries. Use levels.fyi or teamblind.com for more realistic data.
2. 50% or more or the compensation at these companies is in RSUs. These companies have performed remarkably well over the past decade. Folks who have had exposure to their stocks as employees have done very well.
3. Half a million dollars a year (before refreshers, etc.) is entirely realistic at the Staff level and at Senior Staff, you're often looking at anything from $700K to low $1MM.
For these companies, the scope and weight of someone at that level of work if impact across millions/billions of users and their actions can make or lose you similar amounts of money.
Remember that this data covers slightly more than two years of payouts. So under my (admittedly low-information) assumptions, streamer #400 gets 750k in revenue annually.
Also, you linked to the wrong job title. I said "senior staff" software engineer, which where I work is two rungs above senior engineer. http://levels.fyi has comp estimates for a bunch of the big tech cos. $750k far from an unreasonable amount for someone to make in this line of work, and plenty of folks make a lot more than that.
I can't help but love the fact that PaymoneyWubby (a fat ginger nerd who makes interesting content, at least on youtube) makes more than pokimaine and Amouranth whose primary feature seems to be young, attractive, and female. Perhaps there's a tiny bit of justice in the world.
I see your point but it's really just a fact of online life that you can make a lot of money as a woman on twitch. That isn't to say that all women streamers are exploiting that fact i.e. aren't making actual content, but it's simply (simp-ly?) a different calculus which I can't really blame anyone who can stomach it for exploiting.
That may be true about amoruanth but Pokimane is genuinely just as content-driven and "gamer" as any of the top (like xqc for instance). There's more to her streams than her looking pretty - the same probably can't be said about amouranth.
Indeed. A comment above also estimated sub money to be ~1/4 of streamer's earnings, but as you mention that can vary quite widely, and in my experience it does quite so for female streamers. Pre-OF sex work is quite a lot like that too, you generally have a few whales making up ~90% of your revenue on cam sites, which is not great. On Twitch too, in my experience looking at "top donators", it's usually just a few handful of people giving big sums to female streamers.
That's being irrationally dismissive of the effort and merit it takes to win in an attention market in a particular way purely because of a personally biased judgement of value.
The real genetic lottery winner on Twitch is being a white male given the relate-ability to the majority of Twitch's audience, and as the data leaked supports.
I mean even consider the cost those creators have to bear of dealing with people who are constantly claiming that their success in somehow invalid.
> Some Twitter users have started making their way through the 125GB of information that has leaked, with one claiming that the torrent also includes encrypted passwords, and recommending that users change their passwords to be safe.
Twitch just asked me to change password for the first time, so it sounds credible.
Its possible, if theres a full database dump that direct messages could also be leaked, which could be incredibly damaging. I'd guess that these would be in another storage medium however.
One wonders. Why are encrypted passwords stored in an external code repository?
I'll be curious as well once this makes it's way to haveibeenpwned. Requested for it to be deleted and forgotten few years back, wont be the first time an account of mine has been "deleted" to then miraculously be hacked or caught up in a leak
That's only a very narrow link though, isn't it? Just lets you claim Prime benefits, doesn't give access to Amazon purchasing or payment details or anything?
If it's any comfort, for some reason twitch uses Xsolla as it's payment processor. That is, you cannot pay for premium twitch with your amazon account.
Looks like passwords were hashed with bcrypt using a cost factor of 10. I wouldn't be too worried for people with good passwords set up even if hashes got leaked. People with common passwords should probably change their passwords just in case though.
Couldn't help but contrast this to another item on the front page.. the irony of video game streamers making many times more than the lifetime earnings of Nobel Prize winners :)
Sports and Entertainment has always been a way to leap frog hard work.
I am not saying at all it is not deserved. I am quite ok with them earning millions. But it does make a lot of us pull this comparison, both in achievements for humanity and in effort spent in their endeavors.
I personally never played or wish to play the fame lottery, I prefer the hard work path.
I am guessing the most popular streamers have gotten where they are by hard work.
Yes some is luck, attractiveness, etc. But that's true in all careers.
Just because they're playing games doesn't mean they aren't working. Athletes get insane amounts of money to play games. They exert themselves more physically, but I expect being a top steamer day in and out isn't a cake walk either.
Yeah, a lot of people, especially younger folks that want to be a streamer, miss the fact that people don't watch streamers just to watch someone play a game, they watch them because the streamer is entertaining.
Unless you're an absolute god at whatever game you're playing, nobody wants to simply watch you play a game. People come for the live commentary and audience interaction.
Being a successful stream takes charisma and cleverness, and being clever and charismatic for 3+ hours straight to entertain your audience can be exhausting.
I think Kobe Bryant working on his free-throws from 4 AM to 8 PM every day for decades is much harder work than some dude making dogecoin over a weekend or minting an AI-generated NFT.
Wealth is not linear, it's not promised as the result of "hard work". Hard work helps, but it isn't the determining factor of whether or not you'll get a payout.
You must work hard in a domain that has public visibility and actually produces something of value to people. And yes, Basketball (and watching it) is extremely valuable to a lot of people.
There are plenty of professions where the people work just as hard as professional sports people. The wealth accumulated has nothing to do with working hard or not working hard, but rather with the public visibility of the outcome of the work (and ability to make money with that).
Many comments saying sports and streaming is hard work. Well, no doubt it is. Many pulling 12h or 16h work days. I agree.
Nevertheless, anyone that manage to have 5+ millions USD in property and savings before they are 30 got to a level of wealth in 10 years that 90% of people will not achieve in a lifetime.
Totally fine. My issue is with the streamers who promote socialism to their fans and say that wealth should be distributed, meanwhile pocketing a huge paycheck. I guess there's a market for stupidity. It's both funny and sad.
I think you'll find most socialists don't care about people having a few million, the issue is those hoarding hundreds of millions, or billions. Of course, I can't speak for everyone.
(TTS donations, 3rd party revenue like OnlyFans, Patreon, Amazon Gifts and sponsorship deals... are not included)
Total gross payout in the leak (2019/8 to 2021/10) was 4.2 billion dollars across 344k users. (based on data points above alone but could be wrong since it's annons on 4chan.)
PS: Make sure to change your Twitch (and possibly Prime) password. Twitch is already prompting users to do so based on Reddit posts.
I don't think it's funny, I think it's sad because most of it comes from the emotional exploitation of parasocial relationships.
Something we used to scoff at in places like Asia, now even casual relationships are utterly commoditized and we taught a whole generation of young humans how that's the most normal thing in the world.
Agreed. I recently started exploring Twitch and in the first hour of just sitting there watching it, I was surprised how aggressively, exploitative it was. The fact that it's young people there exploiting makes it even more gross.
Isn't that the basis of the economy with the increasing wealth gap and so on? It's not really materially different to paying Disney millionaires to go watch the latest Marvel movie.
>It's not really materially different to paying Disney millionaires to go watch the latest Marvel movie.
I feel like it's substantially different, you are paying Disney the money to watch the movie, you don't really care about the actors or other people who worked on it.
On the other hand, twitch users pay for the sake of paying money, it's closer to something like strip clubs.
That's a pretty harsh moral/value judgment on how someone chooses to spend their entertainment money.
What about comedy clubs? If I buy a ticket to see Dave Chappelle, who is clearly wealthy, am I sucker too?
What about paying cover at my local bar because a local band is playing that night?
What about buying tickets to a baseball game, to see a bunch of millionaires play a game for a few hours?
You are making it seem like users get nothing for their money, when there is plenty of established precedent for giving money in exchange for attending a performance.
Sure the performance has changed, but the actual difference here is that these Twitch millionaires (and the rest who are far from millionaires) are literally charging "pay what you can" instead of setting a minimum ticket price for their show. Plenty of people (the majority in fact) get the show for free.
Sorry, I didn't mean that in a derogatory way. I just meant twitch users pay for the sake of giving money to their favorite streamers rather than paying for a product. Strip clubs are the first example that came to my mind, bands or comics also stand. My point was that OP's argument about comparing twitch to movies doesn't make sense because paying for a movie is no different than paying for groceries.
> because paying for a movie is no different than paying for groceries
Groceries are necessary for survival, and limited in quantity.
Movies and streams are similar to each other because they are both video content. And as long as the creator of the stream or the company behind a movie get paid enough to make the content they could’ve received no more money and still gotten by fine.
Streams are a little bit different from movies though because much of the audience is actively engaging in conversation with the creator or making requests to them etc. In that sense a stream has an aspect of limited supply to it that a movie does not. At some point the audience of a stream will be too big for the creator to be able to meaningfully interact with all of them, and at a point after that maybe even too big to be able to meaningfully interact with any of them.
And so if you have a lot of people that want to interact with you it makes sense to prefer interacting with the ones paying you money, and to encourage them to do so. And beyond that, it also makes sense to offer “exclusive” content to people that pay. So OnlyFans makes sense too.
What really has me upset though is thinking of the people that are on the audience, among whom some people have little money but also get so little attention IRL that they are paying someone who already has a lot just to interact with them and maybe even being deluded into thinking that they have some form of “real” relationship with them. That is very sad and something I don’t think has been studied enough and is not being talked about enough.
I sub to twitch streamers I watch because dollar per hour it's the cheapest form of entertainment besides torrenting for me.
There was a stint during the GTA V RP craze I had it on in the background and watched it for approximately 6-8 hours every day. I subbed to one streamer for like 5 bucks.
This averages out to like 2 cents/day for 240 hours of entertainment. Cheaper than netflix, cheaper than cable, cheaper than hulu... You catch my drift. I don't know how this is different than me paying $80 to spend a night out at the movies with my wife, other than it being insanely cheaper?
> I just meant twitch users pay for the sake of giving money to their favorite streamers rather than paying for a product.
I still think this is a narrow view.
So you don't consider a performance to be a product?
How is going to the movies different from going to a baseball game or a concert or a comedy club?
If those are like movies, and movies are like groceries, are we not back to the same point that people are exchanging money for some kind of benefit, whether it's a tangible thing they take home or an experience they enjoy?
I think strip clubs are a fair comparison. All of the things you listed, you pay money for access to the experience. The money changes hands before you get in the door. For both strip clubs and twitch, getting in the door is free. In both cases what you pay money for is the attention of the streamer/stripper in the moment you are giving the money (or just because you feel like giving money to them for the performance you are seeing.)
A less emotionally evocative example might be giving money to a street musician who accepts requests for donations. Either way, the street musician is there performing and you can enjoy the music whether you pay or not. But the money gets you a bonus, and you’re free to give money regardless of desire to request a song.
I'm not sure I agree that "paying money to get attention" is the majority of the monetary interactions on Twitch.
Or at least, maybe that's a welcome side effect but not the main motivation for a lot of people.
I am guessing here, I have no data to back this up, but I feel like a lot of people sub out of gratitude and as a show of support, and less to draw attention or get some kind of shout-out..
I do watch a decent amount of streams on Twitch across a few categories, but I've never subscribed or donated to any of them, so it's possible I'm wrong here.
Also I did make the distinction between paid performances and "pay what you can".. That was indeed my point, that Twitch differentiates itself by being an essentially "pay what you can" service where the majority don't pay anything, but lots of people still manage to make money giving their work away for free.
Groceries are so far outside of paying for any form of entertainment. What does it matter if you pay for a movie or tip a streamer? It's all content meant to be consumed and replaced with more content.
There are three things you need to survive: food, shelter, and love/community.
Entertainment can sometimes provide the last one (love/community) but for the most part it's fulfilling a need for distraction and/or curiosity.
Like with strip clubs, when you give money to a Twitch streamer, you're getting something in return. Twitch subscribers get lots of exclusive access to stuff.
Twitch streams aren't free though. If nobody paid then they wouldn't exist. It's just a voluntaryist model. Those that pay, do, those that can't or don't want to, don't. So I'm not a sucker for choosing to fund a form of entertainment I find valuable.
I treat museums the same way. When I was young and poor my parents didn't pay to get in since it was optional. But now that I'm older and I make good money, I donate extremely well when I go to museums. I know that it's voluntary and I choose to participate in funding it because I enjoy the experience.
Even if no one paid, they would easily exist through ads and sponsorships. Paying a rich person for something free is just bad money management no matter how you rationalize it to yourself.
Do you think the same way with movies? Many movies could probably survive on ad placement revenue alone. Why do you pay to go to the movies? Do you think the same way with buying a laptop? I'm sure you could fund a laptop with ad and bloatware placement, so why do you pay bill gates for a surface book?
If nobody paid to go to the movies, then nobody would want to advertise in those movies, those movies would lose their sponsorships, and stop being made. If everybody unsubbed from netflix right now they would stop funding original content, even though the content they make has ad placements. Why even ask netflix for money if you can just make a wildly successful tv show with ad placements and release it for free?
Why should you pay to go to a football game? Why should you pay to watch a football game? All the players have sponsors. They're all millionaires. Why did our parents pay for cable? Cable had ads, all the actors were millionaires, the cable company owners were millionaires, the production studios were millionaires. You're saying practically everyone who bought cable in the 1990s-2000s was bad with their money because the actors were millionaires and had ad sponsrships? Give me a break.
I just think it's incredibly disingenuous that because someone is leveraging a SLIGHTLY different monetization model that allows for free consumption, that anyone who pays for it is bad with their money. Maybe if you condemned ALL luxury spending with the same energy I could see you're at least being consistent. But this is just more irrational disdain for the new wave of media consumption.
Some people, on the other hand, like to reward others if they enjoy the product/service/performance they provide.
That's the nature of "pay what you can". If money is tight, then don't pay, and don't feel bad about it. But if you have disposable income, and you value the experience, then give what you can as a form of gratitude.
It doesn't need to be said that if everyone took the "it's free so I don't have to pay anything" route, then there would be no show to see.
I mean....sure, I guess, if you're only talking about the top 10 or maybe top 200 streamers.
My favorite twitch streamer, 'x5_pig' (996th highest earner on twitch) only grossed $186,000 over 24 months, and lives in a fairly HCOL area in Australia. I'm happy to give him $5 or so to help make sure that he continues to stream an EOL game, Starcraft2.
Sure, he has other revenue streams as well but I can only imagine the risk he takes by sticking with a game that's been EOL'd. When Blizzard shuts down the servers I imagine he'll have no career left at all and will likely have to start over in a totally different career. I'd be surprised if he could start streaming some other strategy game and maintain enough earnings.
I pay him $5/month to help swing his risk-reward balance in favor of continuing to produce the content that I most enjoy vegetating to after my 12 hour day of coding/troubleshooting/collaborating.
Sure, he has other revenue streams (YouTube, announcing for major tournaments, etc). But I imagine for him it may be important to earn enough over the 10 year life of Starcraft2 to mostly-retire in case he ends up without a "real" career.
In fact, sometimes I wonder whether income tax brackets could potentially include consideration for short-lived high earning careers. Seems it might be slightly broken to tax someone who has a stable $1MM/year income for 30+ years (e.g. car dealership owner) the same % as someone who makes $1MM this year, but next year might be earning $40,000 working at that car dealership (athletes, streamers, windfalls, etc). Seems like it might make sense to allow people to "defer" earnings to future years, as long as income tax is eventually paid in full. This could allow people who unexpectedly earn $1MM for just one year to spread out those earnings over 10 years and pay a more appropriate % as taxes. Not sure what else this could break though, or how much of a problem it really solves vs. other things legislators could be spending time on.
I would assume big streamers are running a business too. At the very least they are paying an accountant and probably lawyer (for incorporation, taxes). I'm sure some are also paying designers, editors, marketers, advertisers, agents, managers, etc.
On youtube you have streamers merging under the same umbrella to create branded channels.
IMO the differences compared to Disney is the scale of the production and the interactive medium (which is constrained by scale). Once you reach a certain scale I don't think you can expect much direct interaction due to the volume of chat. So really it's just scale.
I mean it's not cynical (at least not anymore than your initial comment), it's what we're doing and why I used another entertainment option as a point of comparison.
Of all the things on Twitch the value of Hot Tub streams seem very upfront and I think it's pretty telling that there are vanishingly few successful streamers doing it and that for all the hot air people spew about its a very niche part of the site.
Same as with paying to see a Disney movie: entertainment. It's just a bit more interactive, since streamers are a bit more likely to interact with you after you give them money.
Is there a point you're failing at making? In my mind it's no different than, say, voting for contestants on talent shows, or paying a camgirl, or pay-per-view WWE events. Same thing targeting a different demographic.
I think the word you are looking for is entertainment. You may not appreciate the value of said entertainment, but then I don't really see a merit of donkey shows, Kanye or just about any other entertainment figure. That is the value.
Are you using VHS for said taping? I suddenly wonder if this is one of those anachronistic phrases, or if people no longer use it and you're revealing your age.
To be fair, the number of millionaires is overall pretty low in numbers. Just some few dozen worldwide. Most top-streamers "only" earn as much as upper middle-class or less. Compared to other sketchy businesses, this seems relative ok. Be aware that those numbers are before taxes and are not including expenses, which can be quite high in the top league.
Yeah, it's so absurd it's hilarious. Seeing people make millions of USD for playing games and mentioning others in a live stream made me seriously rethink the value of my own work.
Yeah, and what's wrong with that reaction? I'm supposed to just accept this stuff?
The blue collar workers are right too. They should be getting paid a lot more. Certainly not less than streamers. It's not fair and I refuse to accept it.
Come to think of it, advertisers seem to be a major cause of these distortions. They distort the value of activities that happen to have an audience. Yet another reason to block ads: help restore balance to society by ensuring people are properly rewarded for the actual value of their work instead of how many eyeballs they can summon.
Because that's not the field of work I chose for myself. I do see construction workers on a daily basis though. I also know the owner of a construction company, he's part of my extended family. The wealth disparity between the workers and my family member is obscene. There's no way I'll ever believe they couldn't be paid better wages.
There’s a very large nearly endless supply of laborers that can do this type of work though. The more niche your skill set the higher you can demand in pay. This is economics 101. You are putting this into a moral space that doesn’t reflect economic realities.
It somewhere between "paying to not see ads" (mechanical) to "being a fan and wanting to contribute to them" (parasocial). I don't think most people care if they're a fan of a millionaire - see sports and entertainment celebrities. Looking at things reflexively through a wealth-inequality perspective is done only by a minority of people.
I was watching a streamer the other day and she was doing some stunt because another streamer promised her an iphone 13 pro. But now I realize she could buy hundreds of them! Argh. Here i am waiting two months so i could afford to put a down payment on one.
In streaming case, for whatever reason you want to make a donation to somebody, not doing it because they are richer than you seems very strange to me.
> I wonder if this'll lead to software engineers in big companies having more restricted access to code?
I don't think that Twitch has closed source code because they want to keep code private. It's probably more a matter of don't want to show commit message in case there are some bad words inside it. And don't want to show the world in case their source code look bad.
Twitch without its code source can't work yeah, but imagine if all the commits of Twitch were public I doubt it would change anything for them.
That would be nice if their was a mental change about source code and that it is fine to show it even if it looks shit.
You don't think the largest streaming platform on the planet wants to keep their intellectual property a secret? This isn't about being embarrassed over some comments, it's about completely revealing the algorithms that move streams to the promoted views, limitations of their filtering systems, the time it takes for someone to count as a 'viewer'... there are many pieces that are no longer secret and can now be manipulated by people trying to promote content or game the recommendation system or bypass filtering.
There is also the issue of security. I'm sure people will be combing through the source code to find anything they can exploit, even if it's a simple XSS attack. It could either be sold/used for malicious actions or submitted to the bug bounty program for the reward money.
Doubt they care too much about bad words in commit messages, what they should worry about is if they've ever checked in passwords/secrets/private keys and not re-written the git history
Commit messages that imply anti-competitive behaviour ("Committing a change to the API to lockout competitor XYZ").
Commit messages that imply code theft ("Using a method that we used at my previous company").
etc.
Sometimes things that look sketchy might be innocent but will still cause nightmares for twitch since they'll now have to play defensively as people call into question anything that ever went into the repo.
Dozens? The 4chan post said "almost 6,000 internal Git repositories". We don't use git at work (TFS, yay), and we definitely aren't on their scale, but that seems high to me. Do they have a repo for every class? Is this normal?
I've never worked in this way (when I've been part of the org), is it that common? What are the benefits of making everyone fork repos vs branching off the original repo?
It's common in general open source projects where you might want to send a patch for something that you don't have commit priveleges too, but I've never seen that used in enterprises as they have central auth / groups with the users required to work on the code.
I worked at a large gaming company and that was definitely the collaboration model.
Before per-branch controls, the only way to disable write access (while maintaining read access, pull-request privs, etc) to a repository's blessed branches was forks.
TFS converting to Git/Azure DevOps here. Be the change you want to see in the world! There's a chance that some of the people in your org that don't use TFS could use the organizational tools built into GitHub/GitLab/BitBucket/DevOps. If you get enough teams on board with that platform that also happens to use Git, then you can make that push to IT!
My company has way more than 6,000 devs and each dev creates a git repo as part of our onboarding process and uploads it to our centralized git tool (you create and push a mostly empty test repo as part of the basic training). Just from that, I'd imagine my company has tens of thousands of git repos, although a lot of them probably only have a single file or some random throwaway code.
The number of git repos might look big but without knowing more, the content of most of those repos could be a complete nothingburger. Number of git repos is pretty meaningless metric, IMO.
Note it doesn't say unique git repositories. It could just mean each employee's fork is included in that count, which would inflate the number like that.
It s already the case and actually a big fight we re having (company of 70k employees spread everywhere) because we cant reverse engineer our upstream and downstream systems and it leads to huge bottlenecks trying to understand them when issues arise, as we need other teams etc.
Many of those companies still have a few (not always skilled) IT people with access to everything! And they sometimes make it easy for themselves by putting themselves in 2FA exception groups etc.
Will depend on company back when I worked for British Telecom, some team leaders with wide access to code & data on some projects had to go through Developed Vetting (TS clearance).
Back in the mid 90's there was a issue in Scotland when a well known journalist got a job in a call center and looked up the private telephone numbers for the Queen.
Am I the only one a bit disappointed by the gross earnings for the top 5 earners given how much the media has ben hyping the money made by e-gamers. For some reason I would have thought they would make more money over 2 years. Top earner was grossing $ 9.6M ($4.8M/yr), 10th was $2.9M($1.4M/yr), at 81 you drop below $1M (500k/yr) on twitch pre-tax revenue. After 81 you drop below the %1M over two years threshold.
Actually the more I think about it - that does seem like a lot if you add in their other rev from youtube channels and other compensation. I understand why all the pro players started working on their twitch stream content more than winning competitions. More stable business and viewer base.
A lot of those streamers are pretty open about how twitch revenue is a small portion of their earnings.
Ninja was famously paid $1MM for an 8 hour ad of playing Apex at launch.
I've had private conversation with large streaming friends that have all said independently that the amount they get paid from a short Raid Shadow Legends ad is huge. One said it's enough to buy a nice car, and if they hit their target downloads (w/ link) the number jumps up to enough to buy multiple nice cars.
There is a lot of big money for streamers, not just big streamers.
I saw a thread on twitter as part of this leak that showed chat of a streamer turning down around $1.6 million a month to advertise a gambling website, because another one was paying more.
I'm not surprised by any of this. If you ever did any digging in to how much advertising pays, ran numbers on twitch subs, etc, these numbers match that quite closely.
Number 1 is Critical Roll. Their website lists 24 employees (many of whom are professional actors), and I’m sure there’s more behind the scenes. Salaries add up quickly.
I'm pretty sure that Critical Role isn't the main income for most people.
Also: 4.8M/24 people is still 200k per head. Even if you assume that various costs take 50% of the revenue, they're all still making 6 figures for a thing that's pretty much a side hustle for most of them.
Let's say payroll is half their total costs. Payroll taxes plus income taxes works out to somewhere around 40-60% of the remaining amount. Health insurance is probably in the 10% range per year, leaving them with a $50k salary. Costs are not, of course, quite that high.
As a point of comparison, a talented voice actor can gross around $125k per year, working from home as a freelancer. I don't feel that the Critical Roll actors are being overcompensated at all.
You think an assistant is being paid same as busy TV actors? :)
The most amazing Critical Role fact might be its creation was indirectly financed by Youtube/Google :o. Felicia Day knew all of those guys and about their private DnD game, she invited them to film few episodes for her YT channel "Geek & Sundry". Channel started with $1Mil advance from YouTube Original Channel Initiative, one of the rare if brief successes.
That works out to $200k/year for each employee, which after you account for benefits is a solid middle class income, assuming they don't live in downtown San Francisco or something.
The traditional distribution of social classes historically was something like 90%+ working+lower classes (farmers/craftsmen/factory workers/service jobs/soldiers/etc) 9% middle class (merchants, doctors, lawyers, officers, scholars, managers) and 1% or so of upper class (landlords, aristocracy and capitalists; CEOs and politicians). Middle class grew much larger in mid-20th century USA, exceeding 50% but perhaps that's just a temporary situation that's now reversing as the inequity has been significantly increasing in the last 50 years or so and it looks like in the future middle class might be a minority forever - IIRC current stats would be something like 1-2% of upper class, 45% middle class, and the remaining 53% or so working+lower classes.
If you look at social class stratification, the general assumption is that if you have to work a job for your income, you're not upper class, you're serving in the employment of the upper class. If you have a high paying job, that's defined as "upper middle" social class at least until you have accumulated wealth to transition to a capitalist/owner/investor role (as some popular musicians and athletes do); being in the top 4% of earners is quite reasonable for traditional upper middle class roles e.g. independent lawyers and doctors, which also tend to earn 200k+/year in USA.
It's among the top 4% of income, that's an objective metric. Being in the top 4% of people in one of the wealthiest countries in the world is objectively not middle class.
I don't think you've been keeping up with home prices and insurance costs around the country. $100k take home isn't all that anymore. You're not food stamp poor, but it's easy to be house poor at that income level, especially if you're shooting for a better school district. Health insurance costs eat up so much of that it is not funny, even if you are healthy. If you or someone in your family comes down with an expensive medical condition you'll be in real trouble.
True, these people are all self employed, so insurance costs would be pretty large. If you're making 200k I'd still say you've probably got at least 100 left over after taxes and insurance. That affords you a 600k house using the 30% of income rule if you can get the down payment together.
That is literally the top earner in the community made up by a team of people.
The media/VC etc community has been hyping e-gaming as the new sports domain. That said the top salary for a sports player is $168M / year for one player (Lionel Messi) and number 99 is $35M/year (source: https://en.wikipedia.org/wiki/List_of_largest_sports_contrac...)
It really shows how much of a step change there is between the sports & e-sports and I would be curious how much of this Twitch is keeping to themselves instead of paying out.
Not to mention how much uptime e-gamers have to put in.
Also good to note that most streamers have a side donation system that more then likely isn’t included in these numbers. Donations seem to be generally run through a non twitch third party site. And is probably a substantial increase if not a doubling of their income.
Before commenting on how much revenue this seems to be for the streamer, remember that most streamers hire and maintain staff. Preach Gaming, for example, has 6 full time staff. Angry Joe is somewhere around 8. Critical Roll’s website lists 24 employees, plus more who are likely not credited.
If you squint a bit, that's not that far off of niche pro athlete money (especially given that the bottom end doesn't have the same discrete threshold that pro sports do). Per [0] the best-paid NHL players are making ~$10M/year, and I would expect the NHL to be more efficiently monetized than internet streamers (we know that making money as "talent" on the internet is a tough proposition).
> PS: Make sure to change your Twitch (and possibly Prime) password. Twitch is already prompting users to do so based on Reddit posts.
This is not worth worrying about. If Twitch is making you reset your password, that means you don’t need to hurry because they’ve already locked your account. If your password hash leaked, the important thing isn’t Twitch, it’s every other place you used the same password.
There are downsides to asking people to change their password for everything! (even though this is a big "everything")
I remember some services send you a message telling you to change your password anytime a new device logs in or even fails to login to your account. That causes most people to pick weaker passwords, since they're not all using manager apps.
Cry? Realistically speaking, this isn't going to happen without physical access to your computer or malware, though. So don't leave your computer unattended and don't download sketchy things.
Expecting people to simply memorize a unique, strong password for every single website that they use is unrealistic. Of course, no solution is perfect, but that doesn't mean we shouldn't improve the current situation of people reusing passwords with maybe slight modifications per website.
Outside of the same authentication domain with bad auth token practices (windows) the hash almost always is useless elsewhere. Salting increases the complexity and thus size of hash tables or hash comparison (rainbow tables), but if your manage to break or brute force the entries, salted or not, the secret often is reused by many users.
That's not what salting does, and different hashing methods are irrelevant. The danger of having your hash leaked is that it can be cracked and the plaintext password recovered. The hash itself is entirely useless for logging into other services.
If this is a phrase to unlock a bitcoin account with 1000 bitcoins in it, then you can easily convince people to try and brute force it.
Do you have Amouranth's or xQcOW's salted hash from this leak? Might be worth trying to brute force it.
You try on those kinds of accounts because they might have re-used it or the password might be patterned or not completely random, which gives you a chance that the credential might give you access elsewhere.
If you arbitrarily take $50k as a living wage then it's basically the top 2000 streamers who can make a living on Twitch. Random googling tells me there were approximately 8 million active streamers in September. Again arbitrarily assuming that 7 million of those are 'casual' and doing it for fun that means the percentage of streamers making a living wage is 0.002%.
Back of the napkin math but kinda depressing.
Edit: Someone on Twitter told me that Affiliate status is pegged around the top 3% of streamers. So taking that as my new baseline for "trying to make it" since you can actually get paid out, it raises the percentage to a whopping 0.008%!
Right I take that sort of thing into account by snipping off the vast majority of people active streaming. Basically guessing that only the top million people streaming are actually aiming to make a living wage.
The thing with Twitch streaming is that you can do it from almost anywhere. So, $50k is maybe a bit high for a living wage.
Plus, Twitch is probably just one source of income for many content creators. For many it's not their primary source, but just a side source. YouTube, Patreon, OnlyFans, outside sponsors, or even esports may be where they make most of their money.
This is a, maybe, long way to get to this, but keep with me. I have always been fascinated by understanding what is edible, useful, or "traditionally medicinal" in the natural world around me.
I have spent decades of my life learning about how to use, propagate, and cultivate most plants, animals, fungi, and minerals (not the propagate part here) in an area +/- 100 miles from where I live. I've taught a couple of State University extension classes, and regularly sell at a farmers market the things I gather/grow, just for shits and giggles.
People have asked me for years why I don't do this for a living. Why don't I do that instead of working a job that I am neutral to, but that pays the bills.
Because all of that sounds exhausting. Needing to maintain a presence on so many platforms, interact with so many people, and constantly be thinking about my next thing for all of the various platforms is just exhausting.
I don't know how people can do it without burning out.
So then there's even more pressure to perform, at a higher level even, to pay for the lives of myself at least one other human entirely. I still don't get it.
> The thing with Twitch streaming is that you can do it from almost anywhere. So, $50k is maybe a bit high for a living wage.
The thing is the power law curve is so strong that if we take the top ten thousand which sets a living wage at approximately $11.5k which is definitely not a living wage in a lot of places people stream from then that only improves things to the top 0.04% (of those trying to make it).
> Plus, Twitch is probably just one source of income for many content creators. For many it's not their primary source, but just a side source. YouTube, Patreon, OnlyFans, outside sponsors, or even esports may be where they make most of their money.
If you read the original comment the gross amount supposedly includes 3rd party revenue.
There's no way it includes all 3rd party revenue. Many big YouTubers have a Twitch, and occasionally stream on it, and they maybe make very little on their Twitch but would be near the top of this list from YouTube revenue. Dream, for example.
Insanely high or insanely low? I actually felt kind of weird that I make more as a software engineer than some of these legit celebrities (not the very top ones of course, but still more than many of the ones I follow or have heard of)
Keep in mind this is just what they make which Twitch knows about. Plenty of sponsorships, tournaments and other income streams exist for a majority of these people.
On top of that, besides their eceleb status, most of these people aren't that professional. Plenty of them are a combination of variety or casual, often to a degree the person isn't even that good in games in general.
Their production quality also isn't anywhere near amazing (note it can be both organic and high quality), and other parties (e.g. Hololive) have shown how easily the space can be disrupted. For those curious, notice how many top streamers still lack actual high quality audio (mostly from their own lack of voice training rather than equipment), proper schedules and sticking to those schedules, high quality video when applicable (e.g. bad light), allow themselves to get devolved in politics, allow their streams to go majorly off-track in general, etc. It's not like these guys don't have the means to drastically improve it.
And the obvious: we don't have anywhere as much of a shortage of people willing to play games in an extremely dedicated manner as doing software development.
The other thing for comparison to traditional jobs is the hours worked. Most streamers I follow work insane hours. Then the other bits and pieces they have to pay for themselves. For example taxes employers would otherwise cover and things like health insurance in the US.
On production quality, I think it's a mistake to think it matters too much. Live streaming is a different thing to television. In very much the same way Roblox is different to AAA games.
There's also a level outside of the more chaotic personalities who make a lot of money in spite of themselves where there is a lot of professionalism going in to making things seem pretty casual because these people know their audience.
The hours worked is all over the place really. Some of the top streamers don't work anywhere close to 40 hours or past it. Others grind 10 hours a day for almost every day of the year (often burning out a few years later). A lot of the top streamers do a combination of taking sporadic breaks, streaming only 3-4 hours a session, etc.
The other problem with looking at hours worked is it's hard to quantify sporadic interactions on multimedia and the likes. Arguably the biggest drain, most of these people are always "online" and have a hard time unplugging themselves. This is further exasperated by the momentum loss most streamers perceive when not streaming for a long while.
>On production quality, I think it's a mistake to think it matters too much
But we don't really know that yet. It's extremely hard to quantify all these variables and what truly matters. What we do know is many people in these circles have fallen to the side since they were unable to keep up with the modicum of effort newcomers put in despite their lack of resources and despite the first-mover advantage these old-timers had. At the same time, we see other parties break through with new concepts while putting in a ton of effort to market and PR themselves, and it worked, as seen with the Hololive example. The top earner is (apparently) also much more professional than the majority of the top 10/100/N.
>Live streaming is a different thing to television
If anything, this is the biggest problem. If beginners are expected/advised to put in much more effort and resources to (increase their odds of) breaking through compared to before, why is it acceptable for someone earning a Silicon Valley-equivalent salary while living in a much lower CoL area to stream in a dank basement or attic with poor audio quality? This isn't a criticism as much as a question. Maybe it doesn't matter. But it's also the question which makes people wonder "should they be earning as much as they do?"
I hope I didn't misread the numbers but to my understanding it's just what they get from twitch directly (ads/subscriptions share), most streamers probably make significant amounts in donations on top of that, and probably have secondary revenue streams via YouTube (stream highlights etc.)
Depends on your local legislations, but be careful that by default on torrents you are also sharing those files to others so you are also distributing stolen material, so it may have an impact on your potential "crime".
I saw the payout pastebin, but i'm very curious what the amazon vs stream cut is for sub revenue in particular. This is the key thing steamers negotiate with twitch over, and is covered by the nda.
rumor was recently negotiations have been very cut and dry for newer big/up and coming streamers basically being told to take some algorithmically assigned cut or give up partner status.
My wife and I can't wrap our brains around the fact that payment info was leaked alongside source code.
Any theories how this happened?
Former pentester btw. I saw a lot of interesting things during my time, but I can't recall seeing a payment database next to a source code repo.
Did their s3 bucket get popped or something?
Even if their github enterprise got popped, that doesn't explain that streamer payouts down to the dollar were leaked. "Oh yeah, I commit all my stripe data into github. It's for compliance /s"
EDIT: If you want to see how much everyone's making: https://www.reddit.com/r/LivestreamFail/comments/q2gooi/twit...