Analyzing the Twitch Hack and a Potential Security Hole Around IRC

Twitch, the live-streaming service used primarily by gamers, was recently attacked and at least 128Gb of data has been leaked onto the 4Chan forum. The data allegedly consists of vast volumes of sensitive data – everything from payments made to content creators to an unreleased gaming platform, from internal ‘Red Team’ hacking tools to the entirety of Twitch’s source code, the most valuable asset of any digital platform provider. The impact could be huge. With an estimated 51 million users, it will be an additional concern that Google searches for ‘How to delete Twitch’ rose by 733% on the day the news broke. It could prove to be a company killer.

Archie Agarwal, CEO of New Jersey cybersecurity firm ThreatModeler, told The GuardianHow on earth did someone exfiltrate 125GB of the most sensitive data imaginable without tripping a single alarm?”

Dark Intelligence has reviewed all the incoming darknet traffic – connections coming from the likes of the TOR browser – towards the twitch.tv domain. Amongst the high volumes of darknet traffic aimed at Ports 80 and 443 – the standard internet connection ports – Dark Intelligence discovered a small number (<1%) of connections aimed at irc.chat.twitch.tv via Port 6667, the most recent of which was on October 3. This port is used by internet relay chat (IRC), a popular messaging service in the early 2000s but has steadily declined in use. However, there are still a significant number of people using IRC – including Twitch, who use it to allow developers to create chat functionality to their Twitch channel. In June 2010, the main IRC servers were hacked, and the download was replaced by a version that had been compromised with a trojan backdoor.

"If twitch was using a compromised version, it's a significant security hole"

If Twitch was using a compromised version, it’s a significant security hole. On top of that, as IRC is no longer considered a standard service, it is much more likely that an attacker will find an unpatched version of IRC to exploit. Once inside, an attacker could then exfiltrate data via the same hole over an extended period. If Twitch’s internal security monitoring did not monitor IRC, it’s entirely possible that several gigabytes of data could be extracted undetected from right under their noses. More research – with the co-operation of twitch themselves – would be needed as Dark Intelligence cannot access their systems to uncover any further evidence, but it is an intriguing possibility.

Furthermore, it’s possible to begin to narrow down the likely culprit for this attack. The fact that the data was posted freely onto 4Chan – a website popular with certain gamer types and notorious for hosting large amounts of pornography – indicates that this is an act done to deliberately and publicly harm Twitch. There is no associated ransomware attack or evidence of the data being sold on the dark web, which would be the hallmarks of a cyber-criminal organization, nor is there any indication that this is the work of a sophisticated nation-state-backed advanced persistent threat group.

Instead, this seems to be the work of an individual attacker intent on disrupting Twitch. The platform has had several recent controversies, including banning several popular channels for violations of Twitch’s terms and conditions. Creators Amouranth and Indiefoxx have received several bans for live streaming content that the platform deemed too sexual. In contrast, another popular live streamer called DrDisrespect was permanently banned – he is now alleged to be suing twitch for damages.

As well as the possibility of the incident being caused by an insider, the attack could have been caused by a Twitch user with an ax to grind and some hacking skills who has been able to infiltrate a giant company and steal their most precious resources right before their eyes, without anyone noticing.

Whether that access was gained through a darknet connection via Port 6667 to Twitch’s IRC platform remains to be seen.

What’s Hot on Infosecurity Magazine?