Video Game Streamer ‘Twitch’ Confirms Massive Data Breach – GovInfoSecurity.com

video-game-streamer-‘twitch’-confirms-massive-data-breach-–-govinfosecurity.com

As you well know that someone could be secretly watching you or your child with your webcam right now? Is it worth taking such a risk? camDown can help stop them!

Breach Notification
,
Incident & Breach Response
,
Security Operations

Reports: Platform's Entire Source Code Compromised in 125GB Leak

Dan Gunderman (dangun127) •
October 6, 2021    

Video Game Streamer 'Twitch' Confirms Massive Data Breach
(Photo: Gage Skidmore via Wiki/CC)

The Amazon-owned video streaming service Twitch, which focuses on video games and e-sports broadcasts, has suffered a massive breach, which the company confirmed via Twitter on Wednesday.

See Also: Marching Orders: Understanding and Meeting the Biden Administration's New Cybersecurity Standards

A post on the online forum 4chan indicates that about 128 GB of data was leaked, including source code and user payout information. The 4chan post says the breach was intended to "foster more disruption and competition in the online video streaming space. The post called the Twitch community a "disgusting, toxic cesspool."

A screenshot of the post on 4chan.

Twitch tweeted on Wednesday morning: "We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us."

The security issue that led to so much data being stolen was not immediately clear. Twitch did not immediately respond to Information Security Media Group's request for additional information.

Leaked Content

The Twitch data that the intruders claim to have stolen includes:

  • Twitch's source code;
  • 2019 creator payout reports, including 81 streamers earning more than $1 million;
  • A compilation of Twitch clients;
  • Proprietary software development kits and internal AWS services;
  • Access to the Twitch-owned Internet Games Database and CurseForge;
  • An unreleased Steam competitor from Amazon Game Studios;
  • Twitch's internal red-teaming tools.

According to VGC, the leaked data also identifies and quantifies the platform's top earners. Of all of the data, this may be the most sensitive. Some popular Twitch streamers have said their figures are right, while others have said they're incorrect.

But the leak of the source code isn’t as sensitive or as bad for Twitch as some might portray it to be, says Thomas Shadwell, who founded Twitch's security team in 2014 and left in July 2020 as a senior application security engineer.

The source code is Twitch's intellectual property, he says, but would amount to essentially instructions for reproducing Twitch. That source code poses about the same risk as any code that is open to the public and the risk that someone might spot an exploitable vulnerability.

Shadwell says one project he was involved with at Twitch included moving secrets such as API tokens, passwords and other items such as test accounts from the source code to improve overall security, Shadwell says.

The source code that was leaked likely came from one server that stored the git instance, he says. "That code is pretty much public to everyone inside Twitch," Shadwell says.

While he worked there, Twitch had taken steps to protect unauthorized access to the git instance. For example, developers used Yubikeys, which are hardware tokens that generate time-sensitive codes for multifactor authentication. It means that an attacker who only has a login and password would be unable to access the system.

As far as when he heard the news about Twitch, Shadwell says: "I think as a security engineer, you plan for these eventualities and you always live in a world where these things can happen."

'How on Earth?'

Those behind the leak have reportedly called it "Part One," hinting at further drops. It appears that the first wave does not include passwords, physical addresses or email addresses of Twitch subscribers, The Verge reports.

Many on social media are calling for Twitch users to activate two-factor authentication - typically requiring verification via smartphone - in their security and privacy settings, to further secure accounts.

Bill Lawrence, a former cybersecurity instructor at the U.S. Naval Academy and currently CISO with the firm SecurityGate, notes, "[Twitch's] data loss prevention and exfiltration prevention don't seem to have worked, and the volume of the hack could point to an insider or very lax controls around the keys to the 'Twitch kingdom' that an external hacker found."

Archie Agarwal, founder and CEO of ThreatModeler, says, "How on earth did someone exfiltrate 125GB of the most sensitive data imaginable without tripping a single alarm? There's going to be some very hard questions asked internally. … [And] it's almost guaranteed user information will have been swept up in this breach, and so users will have to take the usual precautions."

Recent Controversy

This week's incident follows several recent headlines that found the streaming service facing user protests - labeled the #DoBetterTwitch movement - against harassment on the channel. The topic of interest - "hate raids" - involves viewers being rerouted to different channels when streamers head offline - a tool that, if abused via bots, can result in overwhelming spamlike or hateful messaging.

Responding via a Twitter thread in August, the company said: "We've seen a lot of conversation about botting, hate raids, and other forms of harassment targeting marginalized creators. You're asking us to do better, and we know we need to do more to address these issues. That includes an open and ongoing dialogue about creator safety."

Twitch also wrote that it had identified a flaw in its protective filters, for which it rolled out an update that would better detect hate speech in chat. The company said it will be launching channel-level ban evasion detection and account verification improvements by later this year. It also said it is trying "to build a safer Twitch."

Executive Editor Jeremy Kirk contributed to this report.

In the end, you know, I just wanted to mention that camDown is your security solution to protect you and your business from peeping toms and I am sure your smart friends would say the same.