A massive data breach from video streaming service Twitch revealed just about anything that could be mined from its internal network. The 125 GB torrent, posted on a public website for download, has been confirmed by Twitch and is only the “first part” of the material to come according to the anonymous leaker.
Twitch data breach exposes entire platform to the public
The data breach emerged in the form of a 125GB torrent link posted on the popular 4Chan bulletin board on Wednesday. The anonymous leaker accompanied the torrent link with a message indicating that this is more of an activist action than an attempted cybercrime; Captioning the initial post with a photo of a surprised Jeff Bezos (Amazon bought Twitch for $ 970 million in 2014), the leaker called Twitch a “disgusting toxic sump” and urged the company to “do better “.
Founded as the video game channel of pioneering streaming service Justin.tv in 2007, Twitch quickly took on a life of its own as the world’s leading online destination for streaming esports. It is also the leading site for “streamers” who earn their living by registering and playing online video games. The site is one of the busiest in the world, regularly pulling numbers that place it in the company of services like Netflix and YouTube.
The leaker claims that the source code was pulled from over 6,000 internal GitHub repositories. According to 4Chan’s initial post, the data breach contains just about every piece of proprietary code one would expect from Twitch: customers of the service for various platforms, all code on the twitch.tv site going back to its creation, AWS internal services, proprietary SDKs, code for properties acquired by Twitch (such as the CurseForge modding site and Internet Game Database), internal red teaming security tools to simulate attacks and initial code for a online gaming platform called Vapor (comparable to Steam) that Amazon currently has in development.
There are conflicting reports as to whether encrypted or hashed passwords are included. The initial post from 4Chan does not mention it, but some social media users claim to have found it while browsing the torrent. Whether or not the user’s login details are included, all Twitch users are advised to change their password and ensure that two-factor authentication is implemented as more data may be disclosed.
In addition to the absolute code stack, the data breach included charts revealing how much platform streamers are making each month. While this does not include financial information or personal documents, it quickly became popular gossip on the internet as it was revealed that spreading yourself while playing video games can make you a millionaire; in fact, 81 people have earned more than $ 1 million since August 2019. The biggest earner, Critical Role, is set to hit $ 10 million.
Twitch confirmed the data breach was legitimate in a tweet on Wednesday, saying it was “urgently working” to measure the extent of the damage. The company reset all feed keys on Thursday as a security measure and asked content creators to get new ones.
Jarno Niemela, senior researcher for F-Secure, advises anyone with a Twitch account to act as if anything they’ve ever typed on the platform is going to eventually be disclosed: “When the attacker said that they had not yet posted all of the information they did, anyone who has been a Twitch user should review all of the information they have provided to Twitch and see if there are any precautions to be taken. so that other private information is not disclosed. And although that does not help them. In the event that data has already been leaked, users should always be careful about the type of information they provide to any social media platform.
Why would activist hackers target Twitch?
While cybercrime has been on the rise since the start of the pandemic, this type of massive public data breach is more reminiscent of the LulzSec attacks in 2011 which compromised targets such as Sony and Fox Broadcasting for apparently no reason other than the personal fun. .
While the leak manager has yet to elaborate on his motives, the timing would indicate that it has something to do with streamers’ growing dissatisfaction with the harassment. On September 1, a number of high profile streamers held a virtual walkout for the day to protest the platform’s failure to protect them from organized “hate raids” that disrupt broadcasts. Often driven by bots, hate raids involve flooding a stream of negative comments to drive legitimate chat users away.
The leaker’s 4Chan post may refer to the hashtag #TwitchDoBetter under which the creators have rallied to protest Twitch’s lack of security and moderation. However, doxxing these same creators and putting the platform itself at risk via a massive data breach would certainly be an unusual protest strategy.
There are other reasons why people might engage in hacktivism against Twitch, although there is as yet no clear connection to anything other than the “do better” movement to protect creators. . The platform has angered many in recent years for its brutal and sometimes capricious policing of the content of the streams, banning the use of uncolored but non-profane words and taking criticism from conservatives on perceived political biases (l former President Trump had his channel broadcasting live gatherings banned from the platform). The creators have also expressed their dissatisfaction with the platform’s sexual content policies. Nominally banned, some creators believe that some streamers abuse the system by wearing revealing clothing during streams; essentially a “peep show” under the guile of watching a video game. Bikini streamers have become so mainstream that Twitch earlier this year created a dedicated “Hot Tub, Pool and Beach” channel for streams of this nature.