CyberWire staff | thecyberwire.com »
Twitch, the video live-streamng service that focuses on serving gamers, has sustained a major data breach. The Video Games Chronicle reports that an anonymous hacker–and that’s “anonymous” with a small “a”–posted a 125 gigabyte torrent stream to 4chan this morning that’s said to include Twitch’s source code and user payout information in addition to other material that the report says amount to basically everything. It’s apparently a hacktivist operation. The anonymous hacker wrote that the dump’s intention was to “foster more disruption and competition in the online video streaming space” because “their,” that is, Twitch’s ”community is a disgusting toxic cesspool.”
Twitch confirmed that there had indeed been a breach, tweeting, “We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.”
Danny Lopez, CEO at Glasswall Solutions, wrote to comment on the sheer quantity of data the attacker accessed:
“The volume of data which the hackers of Twitch have gained access to is concerning. Such sensitive information such as source codes and financial information should be protected by the highest levels of security. With 15 million daily users, Twitch holds significant amounts of data, much of which contains personal information about its customers. It is essential that a proactive approach is taken to cybersecurity in order to protect such information – once hackers have access to systems, there is little else that can be done. At a time like this when details are unclear, Twitch users should also take immediate steps, which includes changing their passwords and enabling two-factor authentication.
“But even when all procedures and policies are well-executed, there’s no escaping the fact that adversaries are constantly looking to probe vulnerabilities. Often this is as simple as inserting malware using documents and files shared in their hundreds every day in a business environment. It’s vital organisations invest in cyber protection services that stay ahead of attackers by eliminating the threats while still allowing both internal users and external customers to use the systems as expected.
“Attacks like these demonstrate that a traditional castle-and-moat approach to network security leaves organisations exposed. Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. In a world where data can be held amongst multiple cloud providers, it is crucial to strengthen all processes relating to access verification. Without a zero-trust approach, organisations run the risk of attackers having a free reign across a network once they are inside.”
Javvad Malik, Security Awareness Advocate at KnowBe4, was also struck by the size of the breach, and recommends that users of Twitch take precautions:
“The Twitch breach is a large one and contains some potentially very sensitive information relating to some of its streamers. Changing passwords, especially if the same password has been used on other systems is a good first step for affected users. But it’s also worth bearing in mind that not all attacks based on information on these leaks will come immediately. Criminals can use the data within the leak to formulate convincing phishing attacks over weeks or months. So it’s important for Twitch users to remain vigilant of emails, text messages, physical letters or even phone calls claiming to be from Twitch, or a related service.”
Jarno Niemela, Principal Researcher at F-Secure, agrees that users need to look to their own security:
“This leak is very serious for Twitch, but the question is what effects this will have for the regular Twitch user. From what we currently know, is that as password hashes have leaked, all users should obviously change their passwords, and use 2FA if they are not doing so already.
“But as the attacker indicated that they have not yet released all the information they have, anyone who has been a Twitch user should review all information they have given to Twitch, and see if there are any precautions they need to make so that further private information isn’t leaked.
“And while it won’t help in this case as data has already leaked, users should always be cautious on what kind of information they provide to any social media platform.”
Bill Lawrence, CISO at SecurityGate, sounds positively weary of news like this:
“Twitch was hit hard by someone supposedly trying to make things hurt enough to change their gaming community. Data loss prevention and exfiltration prevention don’t seem to have worked, and the volume of the hack could point to an insider or very, very lax controls around the keys to the Twitch kingdom that an external hacker found.
“In the end, it is ‘another day, another breach’ to add to an ever-growing number. It is guaranteed that criminal organizations are working out ways to attack Twitch users with any PII or passwords in the trove.
“Monitor your credit, use MFA, change your passwords, and be nicer in forums online. Those will all be public and likely attributable sooner or later.”
Saryu Nayyar, Gurucul‘s CEO, points out that there’s not always an immediate profit motive in even the biggest hacks, and she too advises users to take precautions:
“The Twitch video streaming platform has apparently had its entire business downloaded and made available to all on 4chan. This includes all source code, including Twitch clients, creator payouts, proprietary SDKs and services, and several affiliated properties. The hacker who claimed responsibility said that the goal was to foster more innovation away from a platform whose community ‘“has become a disgusting toxic cesspool.’
“So there’s no immediate profit motive here; even if some team uses the downloaded code as the basis for a competitive product, it will likely be identified as stolen, and the product sanctioned. But the theft of payout information may mean that personal identifying data is out there too.
“Although passwords are encrypted, Twitch users are advised to set up two-factor authentication. While it’s an extra step in the login process, everyone should be using two-factor authentication when available.”
External Link: Twitch breached.