A massive data breach of the video streaming service Twitch has exposed almost everything that could be taken from its internal network. The 125GB torrent, posted on a public website for anyone to download, has been confirmed by Twitch and is only the "first part" of the materials to be posted according to the anonymous leaker.
Twitch data breach exposes the entire platform to the public
The data breach appeared as a 125GB torrent link posted on the popular 4Chan message board on Wednesday. The anonymous leaker accompanied the link to the torrent with a message indicating that it is more an activist action than an attempted cybercrime; Captioning the initial post with a photo of a shocked Jeff Bezos (Amazon bought Twitch for $ 970 million in 2014), the leaker called Twitch a "disgusting toxic cesspool" and urged the company to "do better."
Founded as the gaming channel for pioneering streaming service Justin.tv in 2007, Twitch quickly took on a life of its own as the world's leading online destination for e-sports streaming. It is also the leading site for streamers who make a living recording themselves playing video games online. The site is one of the most active in the world, with numbers that place it in the company of services such as Netflix and YouTube.
The leaker claims that the source code was taken from more than 6,000 internal GitHub repositories. According to 4Chan's initial post, the data breach contains almost every piece of proprietary code one could want from Twitch: the service's clients for various platforms, all the code for the twitch.tv site dating back to its inception, internal AWS services, proprietary SDKs, code for properties purchased by Twitch (such as the CurseForge mod site and Internet games database), internal "red team" security tools to simulate attacks, and initial code for an online gaming platform called Vapor (comparable to Steam) that Amazon currently has in development.
There are conflicting reports on whether encrypted or hashed passwords are included. 4Chan's initial post doesn't mention this, but some social media users claim to have found some while searching the torrent. Regardless of whether or not user login information is included, all Twitch users are encouraged to change their password and ensure that two-factor authentication is implemented as more leaked data may be arriving.
In addition to the outright code stack, the data breach included tables that reveal how much the platform's streamers earn each month. While this did not include financial information or personal documents, it quickly became a popular gossip on the Internet, as it was revealed that broadcasting yourself by playing video games can make you a millionaire; in fact, 81 people have made more than $ 1 million since August 2019. The top earners, the Critical Role channel, are close to making $ 10 million.
Twitch confirmed the data breach was legitimate in a tweet Wednesday, saying it is "working urgently" to measure the extent of the damage. The company reset all streaming keys on Thursday as a security measure and asked content creators to obtain new ones.
Jarno Niemela, Principal Investigator of F-Secure, advises anyone with a Twitch account to act as if whatever they have written on the platform will eventually leak: โAs the attacker indicated that they have not yet revealed all the information they have, anyone who has been a Twitch user you should review all the information you have provided to Twitch and see if there are any precautions you need to take so that no more private information is leaked. And while it won't help in this case, since the data has already been leaked, users should always be careful about the type of information they provide to any social media platform. "
Why would activist hackers target Twitch?
While cybercrime has increased greatly since the start of the pandemic, this type of massive public data breach is more reminiscent of the 2011 LulzSec attacks that compromised targets like Sony and Fox Broadcasting for apparently no reason other than personal fun. .
While the leaker has yet to elaborate on his motivations, the timing would indicate that it has something to do with the growing discontent among streamers over the harassment. On September 1, several high-profile streamers staged a virtual strike during the day in protest at the platform's failure to protect them from organized "hate raids" that disrupt broadcasts. Often powered by bots, hate forays involve flooding a stream with negative comments to kick legitimate users out of the chat.
The leaker's 4Chan post may refer to the #TwitchDoBetter hashtag under which the creators have rallied to protest Twitch's lack of security and moderation. However, fooling these same creators and endangering the platform itself through a massive data breach would certainly be an unusual protest strategy.
There are other reasons why people may be involved in hacktivism against Twitch, although as of yet there are no clear links to anything other than the "do better" movement to protect creators. The platform has angered many in recent years by its rigorous and sometimes capricious surveillance of the content of the broadcast, issuing bans on the use of words that are risque but not profane and receiving criticism from conservatives for prejudice. Perceived politicians (former President Trump had his live broadcast channel of banned rallies on the platform). The creators have also expressed dissatisfaction with the platform's sexual content policies. Nominally banned, some creators feel that certain streamers are abusing the system by wearing revealing clothing during broadcasts; essentially a "peep show" under the ruse of watching a video game. Bikini streamers became so common that Twitch created a dedicated "Jacuzzi, Pool, and Beach" channel earlier this year for broadcasts of this nature.
