Incident & Breach Response
Reports: Platform’s Entire Source Code Compromised in 125GB Leak
Stay tuned for updates on this developing story.
See Also: Marching Orders: Understanding and Meeting the Biden Administration’s New Cybersecurity Standards
Amazon-owned video streaming service Twitch, which focuses on video games and e-sports broadcasts, has reportedly suffered a massive data breach, which the company vaguely confirmed via Twitter on Wednesday. A post on the anonymous online forum 4chan reportedly indicates that the entire platform has been compromised – including source code and user payout information, according to the publication VideoGamesChronicle.com, or VGC.
The 4chan post reportedly contained a 125GB torrent link indicating that the breach was meant to “foster more disruption and competition in the online video streaming space,” the same VGC report indicates. The alleged hacker reportedly called the community a “disgusting, toxic cesspool.”
Taking to Twitter to confirm the incident, the company said on Wednesday morning, “We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.”
Twitch did not immediately respond to Information Security Media Group’s request for additional information.
Twitch data that’s reportedly now in the hands of the hacker includes:
- Twitch’s source code;
- 2019 creator payout reports, including 81 streamers earning more than $1 million;
- A compilation of Twitch clients;
- Proprietary software development kits and internal AWS services;
- Access to the Twitch-owned Internet Games Database and CurseForge;
- An unreleased Steam competitor from Amazon Game Studios;
- Twitch’s internal red-teaming tools.
According to VGC, the leaked data also identifies and quantifies the platform’s top earners.
Archie Agarwal, founder and CEO of ThreatModeler, says of the incident: “A data breach that includes the entire source code, including unreleased software, SDKs, financial reports and internal red-teaming tools will send a shudder down any hardened InfoSec professional’s [spine]. This is as bad as it could possibly be.”
‘How on Earth?’
The hacker has reportedly called Wednesday’s leak “Part One,” hinting at further drops. It appears that the first wave does not include passwords, physical addresses or email addresses of Twitch subscribers, The Verge reports.
Many on social media are calling for Twitch users to activate two-factor authentication – typically requiring verification via smartphone – in their security and privacy settings, to further secure accounts.
Bill Lawrence, a former cybersecurity instructor at the U.S. Naval Academy and currently CISO with the firm SecurityGate, notes, “[Twitch’s] data loss prevention and exfiltration prevention don’t seem to have worked, and the volume of the hack could point to an insider or very lax controls around the keys to the ‘Twitch kingdom’ that an external hacker found.”
And Agarwal says, “How on earth did someone exfiltrate 125GB of the most sensitive data imaginable without tripping a single alarm? There’s going to be some very hard questions asked internally. … [And] it’s almost guaranteed user information will have been swept up in this breach, and so users will have to take the usual precautions.”
This week’s incident follows several recent headlines that found the streamer facing user protests – labeled the #DoBetterTwitch movement – against harassment on the channel. The topic of interest – “hate raids” – involves viewers being rerouted to different channels when streamers head offline – a tool that, if abused via bots, can result in overwhelming spamlike or hateful messaging.
Responding via a Twitter thread in August, the company said: “We’ve seen a lot of conversation about botting, hate raids, and other forms of harassment targeting marginalized creators. You’re asking us to do better, and we know we need to do more to address these issues. That includes an open and ongoing dialogue about creator safety.”
Twitch also wrote that it had identified a flaw in its protective filters, for which it rolled out an update that would better detect hate speech in chat. The company said it will be launching channel-level ban evasion detection and account verification improvements by later this year. It also said it is trying “to build a safer Twitch.”