Amazon’s video streaming service Twitch admits it has suffered a huge data breach, after source code and earnings information is posted online
Amazon’s video streaming platform Twitch has admitted that it has suffered a data breach that has compromised data.
The admission from the popular streaming platform came after an anonymous hacker uploaded 126GB worth of information to 4Chan on Wednesday. This data included sensitive information including source code and details of the financial earnings of streamers.
This is not the first time Twitch has been compromised. In March 2015, Twitch was forced to reset user passwords after a hack lead to a possible compromise of usernames and passwords.
San Francisco-based Twitch was acquired by Amazon for nearly $1bn (£640m) in 2014, beating out a rival bid from Google.
It focuses on allowing users to watch gamers play video games, generating substantial advertising revenues, thanks to its 15 million daily active users and 3 million broadcasters monthly (as of February 2020).
However Twitch also allows other types of ‘creative’ content other than e-sports, and in 2019 it made headlines when thousands on the platform watched a gunman in Germany kill two people in eastern Germany, after attempting to enter a synagogue where people were observing a Jewish holiday.
Now the platform has confirmed a serious data breach after confidential data appeared online on Wednesday.
“We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this,” it tweeted. “We will update the community as soon as additional information is available. Thank you for bearing with us.”
It latter added that “out of an abundance of caution”, it had reset all stream keys.
In a blog post, Twitch confirmed that a malicious actor had stolen the data.
“We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party,” wrote the platform. “Our teams are working with urgency to investigate the incident.”
“As the investigation is ongoing, we are still in the process of understanding the impact in detail,” it added. “We understand that this situation raises concerns, and we want to address some of those here while our investigation continues.”
“At this time, we have no indication that login credentials have been exposed. We are continuing to investigate,” it said. “Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed.”
One expert said the hacker appears to claim their action is in response to Twitch not tackling hate.
“Based on the information available, Twitch’s attacker appears to be a hacktivist working to damage the company for failing to take action against hate,” noted Marcus Fowler, director of strategic threat at Darktrace.
“This breach is on the heels of the mid-September hack against a web-hosting company, Epik, known for serving right-wing websites – continuing the emerging trend of malicious actors operating in line with their perceived ethical codes or social responsibilities,” added Fowler.
“Current speculation points to this breach coming through a third-party provider to Twitch, which reminds companies that they are only ever as secure as their supply chain,” said Fowler. “In this case, as with so many cyber-attacks, the ramifications are likely to be vast for Twitch – from both a reputational and financial standpoint.”
“The leak of the creator payloads would have been relatively straightforward (though time-consuming) to compute manually even before the leak – but collating these in one place has provided an extensive target list of individuals and organisations with high net worth for scammers to sift through,” he added.
“In today’s threat environment, no industry or organisation is safe and the range of bad actors are not only those thinking about monetary gain or geopolitical advantage,” concluded Fowler. “Targets include traditional manufacturing companies through highly digitized live-streaming platforms like Twitch. All organisations should take measures – such as deploying advanced AI – to prepare for the worst-case scenario.”
Another security expert echoed the fact that any type of organisation is now at risk, and that users need to ensure they are not reusing passwords across multiple platforms and services.
“This hack shows that any organisation, no matter how large, can be the target of a cyberattack,” noted Tony Pepper, CEO of Egress. “This hack has exposed highly sensitive operational data, including Twitch’s source code, once again highlighting to organisations the importance of taking the right steps to secure their data.”
“If the hacker’s motivation was to cause significant disruption for Twitch, it looks like they’ll achieve that goal,” said Pepper. “This hack also potentially leaked sensitive user data, including encrypted passwords, which means that Twitch users are also at risk of follow-up attacks, especially for the 65 percent of people who use the same password across multiple accounts.”
“This breach could be hugely damaging for Twitch and could dent users’ trust in the company’s ability to keep sensitive data safe,” concluded Pepper. “We’d advise Twitch users to change their passwords as soon as possible, and to ensure that they’ve enabled multi-factor authentication for additional protection.”
Another expert touched upon on how the hacker has managed to compromise highly confidential information, including the source code and the earnings of the streamers.
“While Twitch is yet to publicly confirm that the leaked documents are genuine, the apparent confidential contents of the exposed data will have the company’s executives hugely concerned,” noted John Vestberg, CEO of Clavister.
“With the earning of its streamers uncovered, as well as the leakers claiming to possess the platform’s very own source code, Twitch’s most valuable data is now out in the open,” said Vestberg. “Akin to KFC losing its secret recipe, what made its offering unique is now available to its competitors.”
“For Twitch this certainly calls for an internal review of its data and security protocols and is another warning to others,” said Vestberg. “It doesn’t matter how advanced your technology or product might be, you still need to have the most up-to-date and comprehensive cybersecurity measures in place to protect your company’s privacy.”
“Data is a company’s most valuable asset and it needs to be protected as such,” concluded Vestberg. “Organisations must adopt genuinely robust, but flexible, security measures in order to be protected from the ever-growing types of attack – from malware, ransomware and insider threats, to any method of cyberattack or avenue for data loss.”