Category: UNCATEGORIZED

We’re in hot pursuit of bold exhibitionists. It’s time to show the world your stuff. By that we mean it’s time to secure your spot in Startup Alley, the exhibition floor at the very heart of Disrupt San Francisco 2019, which takes place on October 2-4. Simply buy a Startup Alley Exhibitor Package to place your early-stage startup in the path of more than 10,000 influential technologists, founders, investors and media.

Startup Alley epitomizes world-class networking and opportunity. It’s where hundreds of early-stage startups showcase their tech and talent to an enthusiastic, targeted audience. And it’s where people make connections that can potentially change the course of their future.

Here’s just one example. While exhibiting in Startup Alley, TestCard received media coverage from several different outlets. Luke Heron, the company’s CEO, said that the article helped to push TestCard in the right direction:

The coverage we received while exhibiting in Startup Alley — among all these other fantastic startups — has a hugely positive impact when you’re fundraising.

He should know, because the company went on to secure $1.7 million in funding. That’s some hefty ROI right there.

What do you get with a Startup Alley Exhibitor Package? Excellent question. It starts with three Founder Passes, one day to exhibit in Startup Alley and access to the Startup Alley Exhibitor lounge. Your early-stage startup can represent any tech category, like AI/Machine Learning, Biotech/Healthtech, Blockchain, Fintech, Mobility, Privacy/Security, Retail/E-commerce, Robotics/IoT/Hardware, SaaS, Social Impact/Education and more.

Your passes are good for the three full days of Disrupt and provide access to all content (including the Startup Battlefield competition), more than 1,000 startups and sponsors in Startup Alley, interactive workshops and the full attendee list (through the Disrupt mobile app), along with a list of attending media outlets.

Hold on, startup fans, there’s more. You can use CrunchMatch to set up meetings with investors or other attendees, attend networking parties, have a shot at being our Startup Battlefield Wild Card winner and get fantastic discounts on hotel rooms in San Francisco. After the show ends, you’ll be able to access exclusive Disrupt video content. Note: You must be a verified early-stage (pre-series A) startup to exhibit in Startup Alley.

One more thing. If you think your startup’s the best in one of our featured categories, why not apply to be in the TC Top Pick program? You’ll get to exhibit for free — and who doesn’t love free?

Disrupt San Francisco 2019 takes place October 2-4. This is your chance to stake your claim in Startup Alley and take your company to the next level. Go ahead and buy your Startup Alley Exhibitor Package now — while you still can.

Is your company interested in sponsoring or exhibiting at Disrupt SF? Contact the sponsorship sales team by filling out this form.

Glovo, the Spain-headquartered on-demand delivery app that has similarities to Postmates in the U.S., has raised $169 million (€150m) in Series D funding. Lakestar led the round alongside Drake, owner of global pizza franchise Papa John’s.

Idinvest Partners and Korelya Capital also participated, bringing total raised to approximately $322 million. The company last raised funding ten months ago: a $134 million Series C round from Seaya Ventures, Cathay Innovation and Rakuten Capital.

Founded in January 2015 by Oscar Pierre and Sacha Michaud, Glovo offers a ‘shop on your behalf’ app that promises to let you order anything locally on-demand and have it delivered “within minutes”. This includes food items — the company is known for its McDonald’s deliveries in Spain — and non-takeout food and other verticals, such as groceries and pharmaceuticals.

The fast-growing company claims more than 5.5 million unique users and 16,000 associated partners, and now operates in 124 cities across 21 countries, including EEMEA, LATAM, and most recently in Sub Saharian Africa.

The startup says it currently employs over 1,000 people globally, with over 400 people in its Barcelona HQ. A classic gig worker setup: Glovo has 35,000 active “Glovers” on its platform (that’s “self-employed” couriers, to you and me).

Glovo says it will use this injection of funding to bolster global growth, which has been dramatically picking up pace (although, with some reported bumps in the road). CEO Oscar Pierre tells me the company launched in 18 new countries in 2018. There are also plans to further innovate around on-demand groceries, including creating “dark supermarkets” that operate alongside the app’s marketplace of local supermarket chains.

Explains Pierre: “Our Darkstores are urban micro-fulfillment centers located in central areas of a city. They allow us to fully control the value chain and offer the best UX, with a delivery of around 20 minutes. They are run 24 hours a day by Glovo employees whose role is to pick and pack customer orders and have them ready for when the courier arrives. We have launched the offering in Barcelona and Madrid so far and we are still learning and analyzing the results”.

In addition, Glovo will continue to throw more engineers and technology at the problem of optimising on-demand delivery. The company recently hired VP of engineering Mustafa Sezgin, who was an engineering leader at Uber prior to joining.

Pierre says tech is being developed to continue improving the efficiency of Glovo’s “delivery and dispatching capabilities to building a world-class mobile product that exposes everything in a city at the push of a button”. To support this, he intends to grow the tech and data team to over 300 engineers in the next 18 months.

“Today, more than 70 percent of our business is food, followed by groceries, courier and pharmacy,” adds Pierre. “Our vision is to make everything in a city instantly available through the app, and we want to expand into other areas beyond delivery (services, reservations, etc) soon”.

Meanwhile, I’m told Glovo’s most successful markets in terms of orders are Spain (Madrid & Barcelona), Argentina (Buenos Aires), Peru (Lima) and Italy (Milan). Its most successful markets in terms of growth last month (ie new customer acquisition) outside of the above were Costa Rica (San José), Guayaquil (Ecuador), Ukraine (Kiev), Turkey (Istanbul) and Romania (Bucharest).

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 9am Pacific, you can subscribe here.

1. Cozmo maker Anki is shutting its doors

No one ever said consumer robots were easy. But Anki’s actually made a pretty strong go of it, all things considered.

“We’ve shipped millions of units of product and left customers happy all over the world while building some of the most incredible technologies pointed toward a future with diverse AI and robotics driven applications,” the company said. “But without significant funding to support a hardware and software business and bridge to our long-term product roadmap, it is simply not feasible at this time.”

2. Alphabet misses on Q1 revenues of $36.3B; EPS of $9.50 weighed down by the $1.7B European fine

Overall, it was a tough quarter for the company, indicating struggles with its growth.

3. Why did last night’s ‘Game of Thrones’ look so bad? Here comes the science!

For what it’s worth, I didn’t have any trouble watching Sunday’s climactic battle episode of “Game of Thrones” — but it seems plenty of other viewers did.

4. Samsung sees Q1 profit plummet 60 percent

Samsung said that sales of its new Galaxy S10 smartphone were “solid,” but it admitted that its memory chip and display businesses — so often the most lucrative units for the company — didn’t perform well.

5. Utah’s Divvy raises $200M to eliminate expense reports

Divvy only launched its platform, which allows customers to send and request funds, create virtual credit cards, manage team spending and more, in January 2018. Its valuation has grown 1,000 percent since then, across three rounds of equity funding.

6. Twitter announces new content deals with Univision, The Wall Street Journal and others

The spotlight has moved on from Twitter’s video strategy, but the company is still making deals.

7. What we want to know in the We Company (WeWork) S-1

With news that the We Company (formerly known as WeWork) has officially filed to go public, there’s a big question on everyone’s mind: Is this the next massive startup win or a house of cards waiting to be toppled by the glare of the public markets? (Extra Crunch membership required.)

GM will make a full-size electric pickup truck as part of an “all-electric future” that will include a complete range of EVs, CEO Mary Barra said during the automaker’s quarterly earnings call Tuesday.

GM reported Tuesday higher-than-expected profit in the first quarter, a result fueled by cost cutting and sales of its more expensive trucks and SUVs. GM also benefitted from its stake in ride-hailing company Lyft and French automaker PSA Group.

GM revenue fell 3.4 percent to $34.88 billion compared with the same period last year.

“GM has an industry-leading truck franchise and industry-leading electrification capabilities,” Barra said.
I assure you we will not cede our leadership on either front. We intend to create an all-electric future that includes a complete range of EVs, including full-size pickups.”

GM already produces the all-electric Chevy Bolt, a small hatchback that is also used by its self-driving car unit GM Cruise. But it doesn’t have any EV crossovers, SUVs and trucks.

Barra’s EV comments come on the heels of reported talks to invest in Rivian, an electric vehicle startup that debuted an all-electric R1T pickup and R1S SUV in November. The deal with GM never materialized.

Instead, Ford swooped in and announced in April that it was investing $500 million into the EV startup. Along with the cash, Ford plans to build a vehicle on Rivian’s electric vehicle platform.

Amazon is also a Rivian investor and earlier this year led a $700 million round into the automotive startup.

It’s unclear if GM will develop an electric pickup on its own or seek another partner like Rivian. Barra didn’t reveal when such a vehicle would become available. She only said the company would share more “when competitively appropriate.”

In the meantime, upstart Rivian is pushing forward with its SUV and truck-focused plans. Deliveries of Rivian’s first two vehicles are expected to begin in late 2020.

GM has been undergoing a transformation over the past four to five years, getting rid of expensive, money-losing programs like the Opel brand in Europe, and investing more into electrification and autonomous vehicle technology.

GM ramped up its belt-tightening measures last November with cuts to factory and white-collar workers, plant closures in North America and the elimination of several car models as it tries to transform into a nimble company focused on high-margin SUVs, crossovers and trucks, and investments in future products like electric and autonomous vehicles.

The actions are meant to safeguard the automaker from an expected downturn in the U.S. market and increase its annual free cash flow by about $6 billion. 

At the same time, GM has said it will continue to increase investments in key areas such as engineering resources allocated to electric and autonomous vehicle programs.

The automaker announced in January that it will turn Cadillac into its lead electric vehicle brand. The company is developing a new battery electric vehicle architecture that will be the foundation for an advanced family of “profitable EVs,” a word choice that suggests the company will focus on higher margin vehicles such as luxury cars as well as crossovers and SUVs.

Social media giants, including Facebook -owned Instagram, have agreed to financially contribute to UK charities to fund them making recommendations that the government hopes will speed up decisions about removing content that promotes suicide/self-harm or eating disorders on their platforms.

The development follows the latest intervention by health secretary Matt Hancock, who met with representatives from the Facebook, Instagram, Twitter, Pinterest, Google and others yesterday to discuss what they’re doing to tackle a range of online harms.

“Social media companies have a duty of care to people on their sites. Just because they’re global doesn’t mean they can be irresponsible,” he said today.

“We must do everything we can to keep our children safe online so I’m pleased to update the house that as a result of yesterday’s summit, the leading global social media companies have agreed to work with experts… to speed up the identification and removal of suicide and self-harm content and create greater protections online.”

However he failed to get any new commitments from the companies to do more to tackle anti-vaccination misinformation — despite saying last week that he would be heavily leaning on the tech giants to remove anti-vaccination misinformation, warning it posed a serious risk to public health.

Giving an update on his latest social media moot in parliament this afternoon, Hancock said the companies had agreed to do more to address a range of online harms — while emphasizing there’s more for them to do, including addressing anti-vaccination misinformation.

“The rise of social media now makes it easier to spread lies about vaccination so there is a special responsibility on the social media companies to act,” he said, noting that coverage for the measles, mumps and rubella vaccination in England decreased for the fourth year in a row last year — dropping to 91%.

There has been a rise in confirmed measles cases from 259 to 966 over the same period, he added.

With no sign of an agreement from the companies to take tougher action on anti-vaccination misinformation, Hancock was left to repeat their preferred talking point to MPs, segwaying into suggesting social media has the potential to be a “great force for good” on the vaccination front — i.e. if it “can help us to promote positive messages” about the public health value of vaccines.

For the two other online harm areas of focus, suicide/self-harm content and eating disorders, suicide support charity Samaritans and eating disorder charity Beat were named as the two U.K. organizations that would be working with the social media platforms to make recommendations for when content should and should not be taken down.

“[Social media firms will] not only financially support the Samaritans to do the work but crucially Samaritans’ suicide prevention experts will determine what is harmful and dangerous content, and the social media platforms committed to either remove it or prevent others from seeing it and help vulnerable people get the positive support they need,” said Hancock.

“This partnership marks for the first time globally a collective commitment to act, to build knowledge through research and insights — and to implement real changes that will ultimately save lives,” he added.

The Telegraph reports that the value of the financial contribution from the social media platforms to the Samaritans for the work will be “hundreds of thousands” of pounds. And during questions in parliament MPs pointed out the amount pledged is tiny vs the massive profits commanded by the companies. Hancock responded that it was what the Samaritans had asked for to do the work, adding: “Of course I’d be prepared to go and ask for more if more is needed.”

The minister was also pressed from the opposition benches on the timeline for results from the social media companies on tackling “the harm and dangerous fake news they host”.

“We’ve already seen some progress,” he responded — flagging a policy change announced by Instagram and Facebook back in February, following a public outcry after a report about a UK schoolgirl whose family said she killed herself after being exposed to graphic self-harm content on Instagram.

“It’s very important that we keep the pace up,” he added, saying he’ll be holding another meeting with the companies in two months to see what progress has been made.

“We’ll expect… that we’ll see further action from the social media companies. That we will have made progress in the Samaritans being able to define more clearly what the boundary is between harmful content and content which isn’t harmful.

“In each of these areas about removing harms online the challenge is to create the right boundary in the appropriate place… so that the social media companies don’t have to define what is and isn’t socially acceptable. But rather we as society do.”

In a statement following the meeting with Hancock, a spokesperson for Facebook and Instagram said: “We fully support the new initiative from the government and the Samaritans, and look forward to our ongoing work with industry to find more ways to keep people safe online.”

The company also noted that it’s been working with expert organisations, including the Samaritans, for “many years to find more ways to do that” — suggesting it’s quite comfortable playing the familiar political game of ‘more of the same’.

That said, the UK government has made tackling online harms a stated policy priority — publishing a proposal for a regulatory framework intended to address a range of content risks earlier this month, when it also kicked off a 12-week public consultation.

Though there’s clearly a long road ahead to agree a law that’s enforceable, let alone effective.

Hancock resisted providing MPs with any timeline for progress on the planned legislation — telling parliament “we want to genuinely consult widely”.

“This isn’t really issue of party politics. It’s a matter of getting it right so that society decides on how we should govern the Internet, rather than the big Internet companies making those decisions for themselves,” he added.

The minister was also asked by the shadow health secretary, Jonathan Ashworth, to guarantee that the legislation will include provision for criminal sentences for executives for serious breaches of their duty of care. But Hancock failed to respond to the question. 

The Working Assembly began as a side hustle. Jolene Delisle and Lawrence O’Toole juggled full-time jobs while collaborating on projects for startup clients, and they eventually realized there was an opportunity to help companies with branding, marketing, and advertising. In the past four years, TWA has grown from a team of two to a team of twenty in NYC’s Flatiron district. We spoke with Creative Director and Partner Jolene Delisle about their start, their new initiative 24-Hour Assembly—a branding program for minority and women founders, what makes an ideal TWA client, and why she’s excited about the new frontier of experiential and immersive branding.   

On common founder mistakes:

“Clients often come to us and say, “I love the branding of this.” And we’re like, “Well, that’s not really your target. It doesn’t really make sense for you as a brand.” And I think it can be hard for founders to separate their own personal aesthetic from what is actually going to be most effective for their business.”

On TWA’s core values:

“There’s an opportunity when you start your own business to be able to pick your clients, and we started working with a lot of female-founded startups right away. Zola and TheSkimm are both led by women founders. We developed a natural passion for working with these types of companies. It helps that our team is also comprised of mostly women, which I think is really outside the norm. For us, we really focus on diversity and inclusivity. It’s a core tenet of our company and an integral part of the conversation.”

Below, you’ll find the rest of the founder reviews, the full interview, and more details like pricing and fee structures. This profile is part of our ongoing series covering startup brand designers and agencies with whom founders love to work, based on this survey and our own research. The survey is open indefinitely, so please fill it out if you haven’t already.

Interview with TWA’s Creative Director and Founder Jolene Delisle

Yvonne Leow: Tell me a little bit about your backstory. What led you down this path of design and branding?

Jolene Delisle: So, I have more of a background in advertising and communications, and my founding partner, Lawrence, has a background in branding. In the beginning, we were both working full time, but we would collaborate on projects for startup clients. We eventually realized that there was a need to create branding elements before we could ever develop a marketing strategy so that became the impetus for starting Working Assembly

We’re a relatively new studio. We have about 20 people full time. We’re based in the Flatiron district in NYC. And we work with emerging and evolving brands. The emerging brands are startups. About 40% of our clients are early-stage companies that have either received some kind of angel investment or are pre-series A. Sometimes, founders come to us when they don’t even have a name yet, but they have a great idea and a core MVP. Other times, startups are growing very quickly, and we’ll build out their brand and create additional assets.

Millennials are opting out of marriage and kids and instead opting for pet ownership, opening the door for pet-centric businesses to grow.

Small Door is one such company. The startup has raised $3.5 million in seed funding to rethink veterinary services from the ground up. The funding was led by Lerer Hippeau Ventures and Primary Venture Partners, with participation from Foundry Ventures, Flatiron Health cofounders Nat Turner and Zach Weinberg, Warby Parker cofounders Dave Gilboa and Neil Blumenthal, among others.

Small Door operates on a membership model, not unlike OneMedical. The company gives members a certain number of annual check-ups, priority access to specialists, and virtual access to vets based on their membership tier.

By generating revenue through a membership model, the company can ensure that vets have enough time with each patient and simultaneously minimize wait times in the waiting room.

Moreover, Small Door was founded as a Public Benefit Corporation, identifying Small Door vets and pets as key stakeholders in the business. Suicide is a growing problem among vets, who often deal with mounting debt, compassion fatigue, difficult hours and even more difficult customers.

Small Door is looking to build a business that invests in the success and wellbeing of the vets as well as the shareholders.

The company plans to use the new funding to further build out the team and the product. Small Door also has plans to open its first Small Door clinic in the fall in NYC. (The above pic is a 3D rendering of the new clinic.)

Oof. This isn’t the sort of thing you want to see when you’re rounding the corner of your crowdfunding campaign:

There are long shots and then there’s coming up with $15,000 of your $1.2 million goal. The Indiegogo page for the Energizer Power Max P18K Pop understandably focused on the viral sensation the ridiculously beefy phone with the 18,000mAh battery spurred at Mobile World Congress this year. There are even photos of the scrum of journalists elbowing to take a shot of the thing at the event.

Understandable that its creators took that approach. Heck, the thing may have outshined all of the foldable and 5G phones that were set to take center stage at the event. We wrote about it. Lucas rightfully called it “basically a giant battery with a smartphone built into it.”

The takeaway seems clear, though. Just because everyone’s talking about a product doesn’t mean that anyone intends to buy it. If anything, the devices seemed more a comment on the state of smartphone battery life than actual enticing product.

And honestly, there’s been a shift in recent years among many smartphone manufacturers to provide power saving options and larger capacity batteries, so this has become less of a problem (though 5G’s approach could aversely impact that). Also, there are eight million power banks, and you can get them pretty cheap these days, making the P18K Pop any even sillier proposition. Not to mention all the things that can go wrong when you buy a phone based on a single feature.

Even so, the product’s creators closed the campaign out on a hopeful note, writing, “Although it didn’t reach its goal, we will work on further improvement on the P18K (design, thickness, etc.) as we do believe there is a rising interest for smartphones with incredible battery life, which can also be used as power banks.”

Certainly features from companies like Samsung and Huawei have proven that power sharing is a compelling feature. It just probably won’t come with Energizer’s name attached.

Nonprofit organization Creative Commons is today publicly launching its search engine, after over two years of beta testing. The new service is designed to offer an easy way to search the commons’ archive of free content available in the public domain, that’s available to use under Creative Commons licenses. At launch, this includes over 300 million images indexed from multiple collections, the organization says.

The service engine itself has also been updated with a major redesign and faster, more relevant search.

While the larger photo search engines, including Google and Flickr, have for a long time offered tools that let you filter for CC-licensed images, the Creative Commons’ website also sees a good bit of traffic itself. The organization in February 2017 said it was seeing nearly 60,000 users search its site per month, which is why it wanted to create an improved search experience.

“There is no ‘front door’ to the commons, and the tools people need to curate, share, and remix works aren’t yet available,” said Ryan Merkley, Creative Commons  CEO, when announcing the plans for the new CC search engine. “We want to make the commons more usable, and this is our next step in that direction,” he explained.

When the beta version of the search engine launched, there were some 9.5 million images available, including those from Flickr, 500px, Rijksmuseum, the New York Public Library and the Metropolitan Museum of Art, which served as its initial sources.

Today, CC Search has over 300 million images pulled from 19 collections including also the Cleveland Museum of Art, Behance, DeviantArt, and even a set of CC0 3D designs from Thingiverse, among others. The organization says the image catalog will continue to grow, with prioritization given to significant collections like Europeana and Wikimedia Commons.

With today’s launch, the engine itself has also had an update. It now features a cleaner home page, improvements to its navigation and filters, design alignment with creativecommons.org, streamlined attribution options, and clearer channels for providing the organization with feedback. Under the hood, the engine has seen improvements to things like loading times and search phrase relevance, and added analytics to help the team understand how it’s being used, the organization said.

In addition, the engine is now directly linked to the Creative Commons homepage where it replaces the old search portal. (The latter remains online, however, at oldsearch.creativecommons.org).

This quarter, Creative Commons plans to add advanced filters to the homepage, the ability to browse collections without entering search terms, and improvements to accessibility and the user experience on mobile devices. Some of this work will be done by Google Summer of Code students starting next month, it notes.

Longer-term, Creative Commons plans to grow the engine to index more than just photos. Later this year, it plans to begin indexing other CC-licensed works, like open textbooks and audio. Eventually, it wants this new portal to provide access to all 1.4 billion works in the commons — but that could take time, given that its work relies on a community of volunteer developers who work alongside the engineering team at Creative Commons.

On that front, the organization is open to community contribution and makes all its code — including the code behind CC Search — open source (e.g. CC Search, CC Catalog API, CC Catalog). It also runs the #cc-usability channel on CC Slack where you can keep up with the new releases.

The public launch of CC Search follows other recent, good news for a sizable Creative Commons collection. In March, Flickr announced that all the Creative Commons images hosted on its site would remain protected — including those uploaded in the past, and any added in the future.

There had been some concern over the future of Flickr’s CC repository, following the company’s move to a new business model which put an end to Flickr’s free terabyte of storage in favor of a subscription-based service. Had it decided to delete the CC-licensed photos it hosted, millions of photos would have been lost. Now those photos will continue to be available, and discoverable through the new CC Search.

The full 2019 CC Search roadmap is available here.

 

 

Twitch has an account hacking problem.

After the breach of popular browser game Town of Salem in January, some 7.8 million stolen passwords quickly became the weakest link not only for the game but gamers’ other accounts. The passwords were stored using a long-deprecated scrambling algorithm, making them easily cracked.

It didn’t take long for security researcher and gamer Matthew Jakubowski to see the aftermath.

In the weeks following, the main subreddit for Amazon-owned game streaming site Twitch — of which Jakubowski is a moderator — was flooded with complaints about account hijacks. One after the other, users said their accounts had been hacked. Many of the hijacked accounts had used their Town of Salem password for their Twitch account.

Jakubowski blamed the attacks on automated account takeovers — bots that cycle through password lists stolen from breached sites, including Town of Salem.

“Twitch knows it’s a problem — but this has been going on for months and there’s no end in sight,” Jakubowski told TechCrunch.

Credential stuffing is a security problem that requires participation from both tech companies and their users. Hackers take lists of usernames and passwords from other breached sites and brute-force their way into other accounts. Customers of DoorDash and Chipotle have in recent months complained of account breaches, but have denied their systems have been hacked, offered little help to their users or shown any effort to bolster their security, and instead washed their hands of any responsibility.

Jakubowski, working with fellow security researcher Johnny Xmas, said Twitch no longer accepting email addresses to log in and incentivizing users to set up two-factor authentication would all but eliminate the problem.

The Russia connection

In new research out Tuesday, Jakubowski and Xmas said Russian hackers are a likely culprit.

The researchers found attackers would run massive lists of stolen credentials against Twitch’s login systems using widely available automation tools. With no discernible system to prevent automated logins, the attackers can hack into Twitch accounts at speed. Once logged in, the attackers then change the password to gain persistent access to the account. Even if they’re caught, some users are claiming a turnaround time of four weeks for Twitch support to get their accounts back.

On the accounts with a stored stored payment card — or an associated Amazon Prime membership — the attackers follow streaming channels run by the attackers or pay for for a small fee, which Twitch takes a cut. Twitch also has its own virtual currency — bits — to help streamers solicit donations, which can be abused by the attackers to funnel funds into their coffers.

When the attacker’s streaming account hits the payout limit, the attacker cashes out.

The researchers said the attackers stream prerecorded gameplay footage on their own Twitch channels, often using Russian words and names.

“You’ll see these Russian accounts that will stream what appears to be old video game footage — you’ll never see a face or hear anybody talking but you’ll get tons of people subscribing and following in the channel,” said Xmas. “You’ll get people donating bits when nothing is going on in there — even when the channel isn’t streaming,” he said.

This activity helps to cloak the attackers’ account takeover and pay-to-follow activity, said Xmas, but the attackers would keep the subscriber counts low enough to garner payouts from Twitch but not to draw attention.

“If it’s something easy enough for [Jakubowski] to stumble across, it should be easy for Twitch to handle,” said Xmas. “But Twitch is staying silent and users are constantly being defrauded.”

Two-factor all the things

Twitch, unlike other sites and services with a credential stuffing problem, already lets its 15 million daily users set up two-factor authentication on their accounts, putting much of the onus to stay secure on the users themselves.

Twitch partners, like Jakubowski, and affiliates are required to set up two-factor on their accounts.

But the researchers say Twitch should do more to incentivize ordinary users — the primary target for account hijackers and fraudsters — to secure their accounts.

“I think [Twitch] doesn’t want that extra step between a valid user trying to pay for something and adding friction to that process,” said Jakubowski.

“Two-factor is important — everyone knows it’s important but users still aren’t using it because it’s inconvenient,” said Xmas. “That’s the bottom line: Twitch doesn’t want to inconvenience people because that loses Twitch money,” he said.

Recognizing there was still a lack of awareness around password security and with no help from Twitch, Jakubowski and Xmas took matters into their own hands. The pair teamed up to write a comprehensive Twitch user security guide to explain why seemingly unremarkable accounts are a target for hackers, and hosted a Reddit “ask me anything” to let users to ask questions and get instant feedback.

Even during Jakubowski’s streaming sessions, he doesn’t waste a chance to warn his viewers about the security problem — often fielding other security-related questions from his fans.

“Every ten minutes or so, I’ll remind people watching to set-up two factor,” he said.

“The hackers have no idea how valuable an account is until they log in,” said Jakubowski. “They’re just going to try everyone — and take a shotgun approach,” he said.

Xmas said users “don’t realize” how vulnerable they are. “They don’t understand why their account — which they don’t even use to stream — is desirable to hackers,” he said. “If you have a payment card associated with your account, that’s what they want.”

Carrot and the stick

Jakubowski said that convincing the users is the big challenge.

Twitch could encourage users with free perks — like badges or emotes — costing the company nothing, the researchers said. Twitch lets users collect badges to flair their accounts. World of Warcraft maker Blizzard offers perks for setting up two-factor, and Epic Games offers similar incentives to their gamers.

“Rewarding users for implementing two-factor would go a huge way,” said Xmas. “It’s incredible to see how effective that is.”

The two said the company could also integrate third-party leaked credential monitoring services, like Have I Been Pwned, to warn users if their passwords have been leaked or exposed. And, among other fixes, the researchers say removing two-factor by text message would reduce SIM swapping attacks. Xmas, who serves as director of field engineering at anti-bot startup Kasada — which TechCrunch profiled earlier this year — said Twitch could invest in systems that detect bot activity to prevent automated logins.

Twitch, when reached prior to publication, did not comment.

Jakubowski said until Twitch acts, streamers can do their part by encouraging their viewers to switch on the security feature. “Streamers are influencers — more users are likely to switch on two-factor if they hear it from a streamer,” he said.

“Getting more streamers to get on board with security will hopefully go a much longer way,” he said.

Read more:

• A leaky database of SMS text messages exposed password resets and two-factor codes
• Chipotle customers are saying their accounts have been hacked
• We found a massive spam operation — and sunk its server
• Dow Jones’ watchlist of 2.4 million high-risk individuals has leaked
• Stop saying, ‘We take your privacy and security seriously’
• Robocaller firm Stratics Networks exposed millions of call recordings
• Massive mortgage and loan data leak gets worse as original documents also exposed