Infosec Experts: Twitch Breach “As Bad as it Gets”

Gaming and content streaming giant Twitch has confirmed a breach has taken place at the firm, after reports claimed a hacktivist leaked its entire source code, creator info and internal data.

A brief statement from the Amazon-owned firm, posted yesterday afternoon, said: “Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.”

That came after Video Games Chronicle first reported that an anonymous 4Chan user posted a 125GB torrent link to the site containing the data dump. Sources told the site it could have been taken as recently as Monday.

Leaked data reportedly includes all of the firm’s source code; mobile, desktop and console clients; proprietary SDKs and internal AWS services; and “every other property” it owns, including IGDB, CurseForge and an unreleased Steam competitor, dubbed “Vapor.”

Also leaked were red teaming tools used by the firm’s SecOps function and, perhaps most embarrassing, sensitive information on how much it paid its most popular streamers back in 2019 — which reached millions of dollars for some.

It appears the hacker may have been acting in retaliation for what many users saw as Twitch’s inadequate response to the problem of hate raids on the site over the summer. Here, bots were used by trolls to flood the chat section of certain streamers, mainly from minority or marginalized communities, with hateful messages.

In fact, in the original post, the anonymous hacktivist described Twitch as a “disgusting toxic cesspool” and that they were releasing source code from nearly 6000 internal Git repositories “to foster more disruption and competition in the online video streaming space.”

"Jeff Bezos paid $970m for this, we're giving it away FOR FREE. #DoBetterTwitch," they added, using the hashtag popular with hate raid protesters.

Cybersecurity experts were quick to ask questions of the internal security posture at one of the world’s biggest gaming platforms.

“This will send a shudder down any hardened infosec professional. This is as bad as it could possibly be,” argued ThreatModeler CEO, Archie Agarwal.

“The first question on everyone’s mind has to be: how on earth did someone exfiltrate 125GB of the most sensitive data imaginable without tripping a single alarm? There’s going to be some very hard questions asked internally.”

He added that user information will probably have been swept up in the breach, so account credentials will need to be reset.

“This incident serves as a reminder that while ransomware attacks are taking up the majority of headlines recently, breaches that result in stolen proprietary data are still a real and persistent threat,” argued Darren McCutchen, principal threat researcher at NetWitness.

“It’s important that enterprises have the ability to detect threats immediately and react quickly to keep threat actors from gaining access to critical systems and then moving laterally to steal seemingly unrelated data and information.”

Most worrying for Twitch is the fact that the initial leak was labelled “part one,” indicating there’s more to come.

What’s Hot on Infosecurity Magazine?