Just as we thought Facebook’s long downtime would be the most important cybersecurity news of the week (and it was), hackers went after Twitch. They swiched the source code of Twitch and revealed everything, from how much top streamers make (a lot), to the existence and development of a Steam-like client for Twitch.
Twitch is still investigating the incident, but security experts warn of dire consequences for Twitch’s livestreaming platform while the internal investigation continues. This could take quite a while due to the size of the hack.
Archie Agarwal, ThreatModeler CEO and founder, stated that reading of a data breach that contains the entire source code and all financial reports, will send a shock down the spine of any infosec professional.” This is the worst possible situation.
“The first question everyone should ask is, “How did someone steal 125GB of the most important data possible without setting off a single alarm?” You’re going to have some tough questions internally.
Ian Brownhill, Future’s information security director, stated that the theft of the Twitch code could provide hostile actors with a “massive view” into the platform and its infrastructure. It could also expose other vulnerabilities that could allow for future attacks, not just against Twitch but also against Amazon.
This risk could be increased if attackers are not state-based or criminal. Brownhill stated that the monetary rewards are very limited unless ransom is possible. Brownhill stated that criminal gangs are looking for credit cards or PII (personally identifiable information) to target. They would not be asking for ransoms. It is not likely that a nation-state would be involved. They want the Colonial Pipeline and other critical infrastructure-type takedowns. (Or election tampering). However, this cannot be totally ruled out.
Jonathan Knudsen, senior security strategist at Synopsys Software Integrity Group, echoed this point in a statement. He stated that having access to the source allows attackers to “reverse engineer” software applications and understand their workings. Anyone in the world can now get Twitch’s source code.
Knudsen stated that whatever Twitch did for application security, they should redouble their efforts. Anyone can run interactive and static analysis as well as fuzzing or any other application security testing tool. Twitch will be pushing their application security to the next level by finding and fixing flaws before anyone else.
Brownhill said that security breaches aren’t always the result of Hollywood-style hijinks. They can be caused by human frailty and include “phishing” to steal credentials, then moving laterally and escalating privileges or disgruntled employees. A “phone spearphishing attack” was actually how a Florida teenager was capable of hijacking dozens (and stealing more than $117,000) of well-known Twitter accounts in 2020.
Trevor Morgan, Comforte AG’s product manager, stated that this vulnerability means companies like Twitch should focus more on data-centric security approaches rather than putting all their resources into keeping hackers out. He said that “threat actors will penetrate any perimeter put into place to keep them away.” “Protecting data will make the ultimate prize on the black market worthless and reduce the negative consequences of a hack.
Good news for Twitch users: At this point, usernames, passwords and credit card information don’t seem to have been leaked. However, Knudsen stated that the published data includes hashed passwords. Twitch will need to confirm the extent and cause of the data loss. However, users should change their passwords immediately. To avoid “credential stuffing”, hackers may attempt to use username and password combinations across multiple sites. It is also a good idea for 2FA to be enabled. Follow-up requests for personal data should be avoided.
Brownhill stated that this type of activity can lead to additional phishing campaigns. “People [may be] pretending to be Twitch offering support/compensation/services to trick people into handing over more information.”