The Amazon-owned video game streaming platform Twitch has exposed roughly 135 gigabytes of data, revealing source code and payout figures for streamers. Twitch confirmed the leak after the data was advertised on 4chan.
Here’s what cybersecurity experts had to say on the matter:
Javvad Malik, lead security awareness advocate, KnowBe4
The Twitch breach is a large one and contains some potentially very sensitive information relating to some of its streamers.
Changing passwords, especially if the same password has been used on other systems is a good first step for affected users. But it’s also worth bearing in mind that not all attacks based on information on these leaks will come immediately. Criminals can use the data within the leak to formulate convincing phishing attacks over weeks or months. So it’s important for Twitch users to remain vigilant of emails, text messages, physical letters or even phone calls claiming to be from Twitch, or a related service.
Paul Bischoff, security and privacy advocate, Comparitech.com
At this point it’s not clear what user information was leaked in the breach. Twitch hasn’t mentioned payment information or passwords being stolen, but I would still recommend Twitch users immediately enable two-factor authentication on their accounts.
The source code and other information leaked poses a greater threat to Twitch and Amazon than their users. Leaking source code and future projects could put Amazon at a disadvantage against Steam and other competing platforms. The internal security tools could also help malicious hackers develop malware to launch against Twitch or its users.
Jonathan Knudsen, senior security strategist, Synopsys Software Integirty Group:
“The Twitch breach highlights a few important points about cybersecurity. First, adversaries come in many forms with many motivations. In this particular incident, an attacker with ideological motivation compromised Twitch’s systems and published a huge amount of data. Organisations should consider all types of threats, from casual opportunists to cybercriminals seeking money to nation states pursuing geopolitical gain.
“Second, incident response is critically important. When something goes wrong (and something always goes wrong), organizations must have plans in place for a quick and effective response. This response needs to address business continuity (keeping the lights on), customer communication, and recovery. Most importantly, incident response must include a port-mortem analysis which feeds back to improve defenses.
“Third, security by obscurity never works. Cybersecurity experts just assume that attackers have access to the source code of software. Given enough time and resources, attackers can usually reverse engineer software applications to understand how they work. In the case of the Twitch breach, everyone in the world now has direct access to the Twitch source code. Whatever Twitch was doing for application security, they need to redouble their efforts. Anyone can now run static analysis, interactive analysis, fuzzing, and any other application security testing tools . Twitch will need to push their application security to the next level, finding and fixing vulnerabilities before anyone else can find them.”
Jordan Dunne, security consultant, edgescan
“It is probable that Twitch is undergoing an internal investigation at the moment, but Twitch has a responsibility to notify its users as to the full effects of this leak. It is recommended that users change their passwords and enable two factor authentication on their accounts as soon as possible. Leaks from any industry can be harmful, but Twitch is a platform in which it is possible for users to make a living and it is obviously not good that these users’ information, such as their earnings, are now public. For example, users may become targets for criminal activity now their revenue has become publicly accessible.
The fact that the poster claims that this is ‘Part One’ of the leak is troubling, and without any comments from Twitch, it is not enough to hope that payment information and unencrypted passwords will not be included in the near future.
Also, what is very troubling is the amount of organisational information such as source code and security tools that have been disclosed in the leak. This could allow malicious attackers to release modified versions of Twitch’s applications and distribute them online, leading to further attacks. The release of the internal ‘red-team’ tools will allow attackers to identify weaknesses in the testing and perhaps even highlight potential attacks available on the platform.”
Hank Schless, senior manager of security solutions, Lookout
“Based on feedback from the security community, it appears that the claims of what type of data was involved in this breach are legitimate. That being said, we won’t know the full extent of the leak until Twitch is able to release more details.
While validation is ongoing, it appears that the content of the leak is aligned with what the leaker themselves claim is in the 125GB file. This includes Twitch clients across mobile, desktop and console, proprietary SDKs, other services owned by Twitch, unreleased gaming platform data, and even payout reports for the streamers themselves.
Across Twitter, members of the infosec community are validating data in the leak – in particular the payout reports for Twitch creators. Based on the commentary from the user who allegedly leaked the data out on 4chan, this looks like a highly targeted attack. Without additional details, it’s difficult to speculate how this individual was able to gain access to so much data.
In other attacks, such as ransomware, an attacker will often acquire legitimate credentials through phishing campaigns then use those credentials to navigate the organization’s infrastructure. In these cases, the attacker will usually locate particularly valuable or sensitive data and encrypt it for ransom. This attack looks different because it’s not just one service or data type that was leaked – it spans almost every aspect of the Twitch platform including incredibly private proprietary data.
Regardless of how the user was able to get their hands on all of this data, the incident highlights how important it is to have visibility into every aspect of your infrastructure. Organizations in every industry have a massive and complex mix of cloud and SaaS apps, private apps, and on-prem infrastructure. This makes it difficult to catch tell-tale signs of anomalous behaviour or massive data extraction across every one of those apps and services. Cloud access security broker (CASB) and zero trust network access (ZTNA) can help identify anomalous insider behaviour that could be threatening, mitigate the risk of unauthorized users gaining access to the infrastructure, and grant stronger visibility into how users and devices interact with your data.”
Trevor Morgan, product manager, comforte AG
The most alarming part of the breaking news that a hacker may have severely compromised Twitch, the live streaming service that specializes in video game live streaming and broadcasts, is that the purported breach hits at the heart of any enterprise: its IP and its user base. Most companies, especially those in software, technology, and entertainment, are monetized based on the value of their user base (number of users, growth in user base) and intellectual property (usually their code and inventions, and the market success of both).
Organizations should learn from this situation and treat all of their information (IP, specifications, development plans, code, and customer/user information, just to name a few) as highly sensitive and therefore protect it with multiple layers of security, including data security. They need to assume that breaches will occur—not that they might occur—and plan for the eventuality that the wrong people may actually get to and apprehend sensitive data. Therefore, the goal first and foremost should always be to protect the data itself where applicable with data-centric security such as format-preserving encryption and tokenization. Threat actors will penetrate any perimeter put in place to keep them out—protecting the data itself will render that ultimate prize worthless on the black market and blunt the negative repercussions of a successful hack.
Chris Clements, Vice President, Solutions Architecture, Cerberus Sentinel
The amount and variety of the data leaked, from source code to payment info, indicates that the attacker likely gained extremely broad if not complete access to Twitch’s organization.
The immediate risk would be to users who had password hashes leaked without MFA enabled, as well as any other accounts those users had where the same password was reused. Secondarily would be for any targeted social engineering campaigns that attackers may be able to carefully target using stolen information such as detailed account info or direct messages between Twitch platform users. All Twitch users should immediately change their passwords to be unique and strong, as well as implement non-SMS based MFA. Further they should be on guard especially in the coming months for phishing or other social engineering based attacks related to Twitch or their Twitch account.
Further down the line there may be exploitable security issues detected from attackers reviewing stolen source code for potential vulnerabilities as well as intellectual property theft that could be leveraged by unscrupulous actors to build rival platforms or core functionality. This attack further demonstrates that no organization is safe from security compromise. We may never discover the attacker’s true motivation, but taken at face value, a simple disgruntled user or employee may be all it takes to be actively and persistently targeted.