Ep 36 Twitch Hack

  1. Twitch hack or Source Code! Get your source code here!

The entirety of Twitch has reportedly been leaked

https://www.videogameschronicle.com/news/the-entirety-of-twitch-has-reportedly-been-leaked/

A Devastating Twitch Hack Sends Streamers Reeling -

https://www.wired.com/story/devastating-twitch-hack-sends-streamers-reeling/

Twitch confirms it was hacked after its source code and secrets leak out

https://www.theverge.com/2021/10/6/22712365/twitch-data-leak-breach-security-confirmation-comments

Twitch’s twitter posts

https://twitter.com/Twitch/status/1445770441176469512

https://twitter.com/Twitch/status/1445985601174392835

Twitch’s blog - Update on the Twitch Security incident

https://blog.twitch.tv/en/2021/10/06/updates-on-the-twitch-security-incident/?utm_referrer=https://t.co/

FB Update about the October 4th outage

https://engineering.fb.com/2021/10/04/networking-traffic/outage/

Hello and welcome back to USB our Guest Cyber Security tips. I’m Theo, here to help you break down cyber security topics and hacks and how they affect you. Today's episode covers the recent Twitch hack. Links to the articles, twitter posts and blogs referenced are in the show notes. First and Foremost, if you are a twitch streamer or have a twitch account for viewing, I highly advise, pausing this episode and changing your Twitch password and if you haven’t done so, enabling 2-factor authentication. That being said,

On the morning of 10/6 Twitch confirmed on twitter that the leak was authentic stating Quote

“We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.”

Early next morning Twitch released another update stating “Our investigation is ongoing, and we are in the process of analyzing all of the relevant logs and data to assess actual impact.” along with a link to their blog for more updates. As of 10/11 only 2 posts exist. The most recent post from 10/7 notifying streamers that, quote “Out of an abundance of caution” all stream keys have been reset and the post from 10/6 ligitimizing the breach. It reveals that quote “We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.” and continues “At this time, we have no indication that login credentials have been exposed. We are continuing to investigate. -- Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed.”

Initially reported by Video Games Chronicle, The leak was posted on 4chan by an anonymous hacker who stated the leaks intentions to, quote “foster more disruption and competition in the online video streaming space” because, quote “their community is a disgusting toxic cesspool”. The leaked Twitch data reportedly contains the following.

  • Twitch’s entire source code with commit history “going back to its early beginnings”

  • Creator payout reports from 2019

  • Mobile, desktop and console Twitch clients

  • Proprietary SDKs or Software development kits and internal AWS services used by Twitch

  • “Every other property that Twitch owns” including IGDB and CurseForge

  • An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios

  • Twitch’s internal ‘red teaming’ tools (designed to improve security by having staff pretend to be hackers)

What does all this mean? Here are my take-aways.

Twitch’s source code with commit history, twitch clients, SDK’s, Vapor - If the bad guys were so inclined, and they will be, they could use this data to make an exact duplicate of twitch or at least it’s home and login pages, that could be used for credential stealing. Never click on links anywhere that redirect you to login.

Creator payouts - This is giving the bad guys confirmed money targets for hacking. Some of these creators are making millions and are now prime targets for the bad guys to go after.

Red teaming tools - The bad guys now have access to tools that twitch uses to test their own security. And worse yet, they know what Twitch is looking for and what they are missing when they are Penetration testing their own systems.

Again, if you haven’t changed your Twitch password and enabled 2 factor authentication, do so now. Twitch has said that they have no indication that login credentials have been exposed, not that login credentials have not been accessed. Perhaps take this opportunity to start using a password manager, because if passwords have been stolen, they could be used on another attack. Which could be bad, especially if you reuse passwords. Stop.. Reusing.. Passwords..

One last observation, This breach shares characteristics of FaceBook’s outage from10/4 in which Facebook’s “engineering teams have learned that configuration changes on the backbone routers that coordinate network traffic between our data centers caused issues that interrupted this communication. This disruption to network traffic had a cascading effect on the way our data centers communicate, bringing our services to a halt," Although Facebook experienced an outage and Twitch a breach, I thought it was interesting that the phrasing, referencing “configuration changes”, in these two events were similar.

That’s all for today’s episode. If you have a topic you would like me to cover drop me a line at anchor.fm/usbog or email me at usbourguest@gmail.com. If I've helped you in any way please consider telling friends or family about the podcast. Or rate and review the podcast on whatever platform you use to listen. Thank you for listening and have a great day.