← Streaming
D

Twitch

Serious concerns
Amazon · 🇺🇸 United States
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
Manufacturer: Amazon

⚠️ The bottom line

In October 2021, a hacker dumped 125 gigabytes of Twitch's internal data on 4chan with the hashtag "#DoBetterTwitch." It wasn't a sophisticated attack — it was a server misconfiguration. The leak included Twitch's entire source code, internal security tools, and an unreleased Steam competitor codenamed "Vapor." Evidence from a 2014 breach — right after Amazon bought Twitch — was still visible, suggesting Twitch never fully cleaned up from the first hack. The attacker called it "part one." Amazon's response: "we're confident no credentials were exposed." The source code was. The 2021 Twitch leak exposed exactly how much every single creator earned. CriticalRole: $9.6 million. xQc: $8.4 million. Summit1g: $5.8 million. But it wasn't just the millionaires — small creators making $200 a month had their income published alongside the top earners. The exposure triggered harassment campaigns, doxxing attempts, and stalking fears. Twitch's privacy policy promised creator financial data was confidential. A single server misconfiguration turned every streamer's bank statement into a 4chan post. Amazon, a $1.7 trillion company, couldn't configure a server correctly.

Legal jurisdiction
🇺🇸 United States (headquarters)
CLOUD Act read more →
US govt can demand your data from this company even if stored overseas
FISA §702 / PRISM read more →
NSA collects stored emails, photos, messages without individual warrants
Geofence warrants read more →
Police can demand location data for everyone near a crime scene
Spying
2/4 MODERATE
Is someone spying on me?
Data Sharing
1/4 LOW
Who gets my data?
Security
3/4 HIGH
Is it actually secure?
Honesty
3/4 HIGH
Can I trust what they say?
CONFIGURE High-risk areas that can be partially mitigated with settings changes.
7Contradictions
2Critical
4High
1Medium
6Sources
Findings by concern
Spying 2/4 MODERATE 1 finding
⚡ highpolicy claims vs regulatory findings
Amazon bought Twitch for $970 million in 2014. Now your Twitch viewing habits merge with your Amazon purchase history, Alexa recordings, Ring doorbell footage, and Whole Foods shopping. Amazon sells Twitch ad inventory programmatically — advertisers target you on Twitch based on what you bought on Amazon last Tuesday. Watch a cooking stream? Amazon knows you just bought a frying pan. You signed up to watch people play video games. You got enrolled in Amazon's cross-platform surveillance advertising network.

What they claim: Twitch operates as an independent platform with its own data practices.

What we found: Amazon acquired Twitch for $970 million in 2014 and progressively integrated it into Amazon's ad infrastructure. Amazon DSP sells Twitch ad inventory based on Amazon purchase history, search history, and browsing. Twitch viewing feeds back into Amazon's advertising profiles across shopping and entertainment.

Security 3/4 HIGH 2 findings
⚠️ criticalpolicy claims vs network analysis
In October 2021, a hacker dumped 125 gigabytes of Twitch's internal data on 4chan with the hashtag "#DoBetterTwitch." It wasn't a sophisticated attack — it was a server misconfiguration. The leak included Twitch's entire source code, internal security tools, and an unreleased Steam competitor codenamed "Vapor." Evidence from a 2014 breach — right after Amazon bought Twitch — was still visible, suggesting Twitch never fully cleaned up from the first hack. The attacker called it "part one." Amazon's response: "we're confident no credentials were exposed." The source code was.

What they claim: Twitch claims to protect creator and user data with appropriate security measures.

What we found: In October 2021, a hacker leaked 125GB of Twitch internal data on 4chan tagged #DoBetterTwitch. Included entire source code, internal security tools, unreleased competitor codenamed Vapor, creator payouts back to 2019. Caused by a server misconfiguration. Evidence of the 2014 breach was still visible — Twitch never fully cleaned up from the first hack.

⚠️ criticalpolicy claims vs app permissions
The 2021 Twitch leak exposed exactly how much every single creator earned. CriticalRole: $9.6 million. xQc: $8.4 million. Summit1g: $5.8 million. But it wasn't just the millionaires — small creators making $200 a month had their income published alongside the top earners. The exposure triggered harassment campaigns, doxxing attempts, and stalking fears. Twitch's privacy policy promised creator financial data was confidential. A single server misconfiguration turned every streamer's bank statement into a 4chan post. Amazon, a $1.7 trillion company, couldn't configure a server correctly.

What they claim: Twitch states that creator financial information is confidential and protected.

What we found: The 2021 breach exposed exact payout figures for every creator back to August 2019. CriticalRole: $9.6 million. xQc: $8.4 million. Summit1g: $5.8 million. Small creators making $200/month also exposed. Led to targeted harassment, doxxing, and stalking concerns.

Honesty 3/4 HIGH 4 findings
⚡ highpolicy claims vs app permissions
In 2021, Black and LGBTQ+ Twitch streamers were bombarded with coordinated hate raids — thousands of bots flooding chats with racial slurs and death threats. Streamers RekItRaven, ShineyPen, and LuciaEverBlack organized #ADayOffTwitch, taking thousands of streamers offline. A class-action lawsuit was filed. Twitch's response? Months to implement basic anti-raid tools like phone verification. A platform owned by the world's largest cloud computing company couldn't stop bot accounts from sending the N-word in chat.

What they claim: Twitch provides a safe community for streamers and viewers.

What we found: In 2021, Twitch faced an epidemic of hate raids — coordinated bot attacks flooding Black, LGBTQ+, and marginalized streamers' chats with racist and threatening messages. Streamers RekItRaven, ShineyPen, and LuciaEverBlack organized #ADayOffTwitch. A class-action lawsuit was filed. Twitch didn't implement basic anti-raid tools for months.

⚡ highpolicy claims vs app permissions
Twitch takes 50% of a small streamer's $4.99 subscription — $2.50 goes to Amazon, $2.49 to the person who spent 8 hours entertaining an audience. In 2022, even top partners' 70/30 deals reverted to 50/50 after $100,000. YouTube gives every creator 70%. Kick offers 95%. Twitch's parent Amazon made $469.8 billion in 2021 revenue. But the streamer making $800/month hands $400 to a company that could fund its entire creator programme with rounding errors from quarterly earnings.

What they claim: Twitch supports creators and provides fair compensation for content.

What we found: Twitch takes 50% of most streamers' $4.99 subscriptions. In 2022, even top partners' 70/30 deals reverted to 50/50 after $100,000. YouTube offers all creators 70/30. Kick offers 95/5. Amazon made $469.8 billion in 2021. Jeff Bezos worth $150B+.

⚡ highpolicy claims vs app permissions
In late 2020, Twitch sent thousands of DMCA notices for clips dating back years — some containing 10 seconds of background music from a car radio. No tools to identify which clips were flagged. Told to mass-delete entire clip libraries or risk permanent bans. Years of content wiped overnight. Twitch's own VP DJ Wheat admitted they'd failed to build proper tools. Music labels — not Twitch — decided who got banned. The platform that built its empire on creator content couldn't be bothered to build a copyright identification tool until creators had already lost everything.

What they claim: Twitch enforces copyright policy fairly and provides DMCA compliance tools.

What we found: In late 2020, Twitch sent mass DMCA takedowns for clips with background music dating back years. No tools to identify violations. Creators told to mass-delete clip libraries or risk bans. VP DJ Wheat admitted failure to build proper tools. Music labels, not Twitch, decided who got banned.

⚫ mediumpolicy claims vs network analysis
In 2026, Twitch users discovered their accounts were being hijacked even with two-factor authentication turned on. Attackers changed emails, passwords, and locked creators out of channels built over years. Streamers lost subscriber revenue, communities, and content archives. Twitch's recovery process? Weeks of waiting. For a platform where creators earn their entire livelihood, "we'll get back to you" isn't account security — it's negligence. The two-factor authentication Twitch recommends couldn't stop attackers from walking through the front door.

What they claim: Twitch protects account security with two-factor authentication.

What we found: In 2026, multiple reports of accounts hijacked despite 2FA enabled. Attackers changed emails and passwords bypassing 2FA entirely. Creators lost access to channels, subscribers, and revenue. Recovery process took weeks, with some creators losing their income source.

What happened to real people
Documented incidents involving Amazon products and user data.
Ring employees spied on customers through bedroom and bathroom cameras. Hackers live-streamed customers' videos. 8-year-old girl contacted by hacker through bedroom camera. $5.8M FTC settlement. [source]
Amazon admitted giving Ring footage to police without owner consent at least 11 times in 2022. 30,000 employees had access to customer videos. [source]
What your data is worth to governments
Jurisdiction: US (CLOUD Act).
Documented: Ring employees spied on customers through bedroom and bathroom cameras. Hackers live-streamed customers' videos. 8-year-old girl contacted by hacker through bedroom camera. $5.8M FTC settlement.
Documented: Amazon admitted giving Ring footage to police without owner consent at least 11 times in 2022. 30,000 employees had access to customer videos.
What is the CLOUD Act?
Sources