Livestreaming and videogaming platform Twitch continues to investigate a major breach of its systems that saw over 125GB of its data, including source code, leaked via the 4chan forum.
Multiple sources, including Computer Weekly’s sister title SearchSecurity, have independently verified the leaked data to be genuine.
News of the incident first emerged on 6 October, and Twitch itself acknowledged the breach at about 4.20pm in a brief statement posted to Twitter. It said: “We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.”
In a full statement published at 6.30am today, Twitch said: “We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.
“As the investigation is ongoing, we are still in the process of understanding the impact in detail. We understand that this situation raises concerns, and we want to address some of those here while our investigation continues.
“At this time, we have no indication that login credentials have been exposed. We are continuing to investigate.
“Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed.”
In a further update since then, Twitch said that as a precaution it has reset all its users’ stream keys – these are the unique codes that enable streamers to connect Twitch to their broadcast service of choice, such as Twitch Studio, Twitch Mobile App, OBS, Streamlabs, PlayStation or Xbox.
Twitch users can generate new stream keys via their user dashboard and may need to manually update their broadcast software with the new key in order to resume streaming.
As a significant breach affecting a well-known consumer brand, the Twitch incident has generated much interest from the wider cyber security community, including the usual unhelpful speculation on the cause of the incident, and preventative actions Twitch could have taken in entirely hypothetical scenarios.
Hacktivist action
What is agreed upon is that the attack was almost certainly not driven by financially motivated cyber criminals, but by hacktivists who wanted to teach Twitch a lesson for failing to clamp down on abuse, harassment and hate speech on its platform, as evidenced by an initial statement made by the person/s responsible, which branded Twitch’s community a “disgusting, toxic cesspool”.
Quentin Rhoads-Herrera, director of professional services at Criticalstart, a supplier of managed detection and response (MDR) services, commented: “This is more of a way to publicly humiliate Twitch and potentially lower the trust users may have in the platform.
“If it was ransomware, we would have seen encryption events as part of this and normally these types of groups don’t announce a breach until they have both stolen data and encryption moving through the victim’s network. This sounds like a hacktivist, or someone who has hacked Twitch to drive a point across.
“It appears the overall goal was to shame Twitch, not harass or hurt its userbase.”
Extent of leak troubling
One thing most observers agree on at this stage of the investigation is that the extent of the data leak – including Twitch’s source code – means the breach will have substantial repercussions for Twitch beyond merely shaming it.
Clavister CEO John Vestberg described the incident as the equivalent of KFC losing its secret recipe. “What made its offering unique is now available to all its competitors,” he said. “Data is a company’s most valuable asset and it needs to be protected as such.”
Check Point Software cloud security architect Stuart Green added: “Anytime source code gets leaked, it’s not good and potentially disastrous. It opens a gigantic door for evil-doers to find cracks in the system, lace malware, and potentially steal sensitive information.”
Jonathan Knudsen, senior security strategist at the Synopsys Software Integrity Group, said: “Whatever Twitch was doing for application security, they need to redouble their efforts. Anyone can now run static analysis, interactive analysis, fuzzing, and any other application security testing tools. Twitch will need to push their application security to the next level, finding and fixing vulnerabilities before anyone else can find them.”