Clicky

The Twitch Hack: It’s Personal, It’s Big and if You’re in Network Security, Scary AF
by Shelly Kramer | October 13, 2021

Twitch, Amazon’s streaming service, was hacked early last week and it seems like it was personal, not just another random hack. First reported by Video Games Chronicle, an anonymous hacker or hackers posted a 125GB torrent link to 4chan on Wednesday of last week. VGC verified that the leaked information was publicly available for download on 4Chan.

The leaked information included Twitch’s entire source code and payout information related to the sums popular Twitch creators make, as source code data for mobile, desktop, and game console Twitch clients, along with an unreleased Steam competitor for Amazon Game Studios, and Twitch’s internal security tools.

The anonymous hacker or hackers who dumped the data online said their motivation was all about fostering competition in online streaming, describing Twitch’s community as a “disgusting toxic cesspool.” Although these comments are focused on the Twitch community, the fact that it doesn’t appear as though user data (password/address info) of Twitch users was released and that only (so far) information was shared about Twitch’s company/tools, source code, looks like it’s somebody pissed off about Twitch (and maybe Amazon) more than the users themselves.

Equally relevant, this leak was labeled as “part one” indicating there could be more trouble ahead for Twitch.

Here are the specifics on what the Twitch hack exposed:

  • Three years of details on creator payouts
  • All of Twitch.TV data from its inception
  • Source code for mobile, desktop, and video game console Twitch clients
  • Code related to the proprietary SDKs and internal AWS services used by Twitch
  • An unreleased Steam competitor, codenamed “Vapor” from Amazon Game studios
  • Data from other Twitch-owned properties like CurseForge and IGDB
  • Twitch’s internal security tools designed to improve security by having staff pretend to be hackers

Twitch’s troubles continued on Friday of last week, when background images for Minecraft and GTA V were replaced on Twitch with images that appeared to be Amazon founder Jeff Bezos’ face.

The Twitch Hack

The Biggest Hack in History Should Be a Wakeup Call for Network Security

This is quite literally one of the biggest data hacks in history — so far. The fact that the leaked data contains the complete source code of Twitch that opens a big door for threat actors to waltz in and not only steal sensitive information, but also find vulnerabilities, insert malware, and steal sensitive information. Twitch is still investigating the breach but claims that thus far no login credentials have been exposed and that full credit card information hasn’t been accessed (because it’s not stored by Twitch).

What happened?

According to Amazon, Twitch had a misconfigured server, that was accessed by a third party, which raises many questions around network security practices. A server misconfiguration is one of the most common vulnerabilities that hackers look to exploit and according to IT Governance “According to a recent report by Rapid 7, Internal penetration tests encounter a network or service misconfiguration more than 96% of the time.”

While some concerns have been tossed around about what the Twitch hack means as it relates to the security of Amazon’s AWS cloud, Amazon has made it clear that this breach has nothing to do with the security of AWS cloud server and given how Amazon compartmentalizes its business/operating units, that makes sense. That’s actually one of the knocks against Amazon as it relates to this hack – discussion on that front has centered on the thought that had the company had better control over the Twitch platform perhaps it could have discovered and mitigated the breach more quickly.

The Twitch hack has most definitely caused a ripple of fear through the hearts of many a network security professional. There’s really not one bit of Twitch data that hasn’t been accessed as part of this hack — it spanned every aspect of the platform and contained the ultimate in proprietary data. “This is as bad as it could possibly be” Archie Agarwal, founder and CEO at ThreatModeler, a NJ-based cybersecurity firm remarked when discussing the Twitch hack for The Guardian. And more damningly, “How on earth did someone exfiltrate 125GB of the most sensitive data imaginable without tripping a single alarm?”

While it doesn’t appear that unencrypted password information or credit card data was part of this data dump, it’s recommended that Twitch users turn on two factor authentication to be safe. I’ll close by saying the Twitch hack definitely got the attention of the video game streaming community and “how to delete Twitch” queries increased to 733% around the world a week ago. It remains to be seen what kind of impact this will have on Twitch’s 51+ million users. As we know, hacked today, forgotten tomorrow is largely the way we roll when it comes to massive security breaches. But we’ll be watching with interest.

Fred McClimans, my colleague and fellow analyst here at Futurum, and I covered the Twitch hack as part of our Futurum Tech Webcast Cybersecurity Shorts episode. You can watch the conversation here:

or stream the audio of the whole Cybersecurity Shorts episode by way of your favorite podcast streaming platform here.

Don’t Miss An Episode – Subscribe Below:

 

Disclaimer: The Futurum Tech Webcast is for information and entertainment purposes only. Over the course of this webcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.

Transcript:

Shelly Kramer: So in the opposite of good things happening, I wanted to talk next about the Twitch hack. And that’s kind of the big news of the week beyond what’s going on with Facebook. And it’s certainly big news in the gaming ecosystem, right? The gaming community. So what happened is that Twitch, which is Amazon’s streaming service was hacked earlier this week. And, it appears as though it wasn’t just another random hack. It was a personal hit. And so this was first reported by Video Games Chronicle. An anonymous hacker or hackers posted a 125-gigabit torrent linked to 4chan on Wednesday, and BGC verified that this information was available publicly for download on 4chan.

So it’s out there. This leaked information contained a lot of information, probably the most alarming of which was Twitch’s source code. And, it also included payout information related to how much Twitch’s most popular streamers make.

Fred McClimans: Which is a lot.

Shelly Kramer: Well, it is a lot, but I mean, and not to mitigate that in any way, but YouTube’s most popular personalities make a lot, and Instagram influencers. I mean, like to me, that that is not something that would piss me off, or yeah, I don’t know. I just didn’t feel like that was something that was tremendously harmful. People … I don’t know who knows? But, so how much money some of the popular Twitch creators make, the source code data for mobile, desktop, and game console, Twitch clients. There was also an unreleased steam competitor that was code-named vapor from Amazon game studios.

So, a game that hasn’t yet been released, code that was related to proprietary SDKs and internal Amazon web services used by Twitch. That’s a big deal. And along with Twitch’s internal security tools designed to improve security by having staff pretend to be hackers. So that’s sort of, “Here’s my security tools, take a look, right? Here’s what we’re using.” That’s problematic. So, but what I said though originally was that this appears to be personal. And the reason that I said that is because when the data was dumped online, the hacker or hackers said that their motivation was all about fostering competition and online streaming. Okay. I get that may be why the creators felt payment information is relevant. I get that. And the hacker described Twitch’s community as a disgusting toxic cesspool. So seems fair to say, right, that it’s a personal attack.

Fred McClimans: Yeah, perhaps along the likes of the Sony attack, the other day we talked about it.

Shelly Kramer: Exactly, exactly. That’s actually what it was compared to. And so, it did not appear even though the statement sort of maligned the Twitch community, it doesn’t appear that user data like passwords and address information were released. So, I guess that’s important. So, it looks like maybe somebody who was aggravated about Twitch and maybe Amazon more, than simply the users themselves. I don’t know. But, so this happened earlier this week, and of course, we keep talking about it, reporting on it, and learning more. And one of the things that this morning, Friday, October 8th, is that background images for Minecraft and GTA 5, which I know is a game, but I’m not a gamer, so I’ve never played it. I do know what Minecraft is. They were replaced on Twitch with images that appear to be Amazon founder, Jeff Bezos’ face. So that’s kind of, so we’re not done with this, right?

Fred McClimans: No.

Shelly Kramer: And I know you’re a gamer, and you have kids who are gamers, and so what do you think?

Fred McClimans: Yeah. It’s an interesting one. When you get something of this nature, it doesn’t look like monetization is the goal. There were initial reports that user data was out there, but that doesn’t really seem to be the case here. But I think for a lot of people, I know, I’m a Twitch user. My kids do have accounts on Twitch. Not too many people know that Amazon actually owns Twitch. I mean, Twitch is one of those online gaming streaming platforms that has just exploded over the past few years, but go back to the acquisition. I think Amazon paid, was like 950 million for this back in 2014. It’s got 41.5 million users in the US alone for this platform. It is absolutely huge. It’s over the top and it’s a competitor, direct competitor to the YouTube streaming services.

So I know, my youngest son, he had his gaming streaming channel on YouTube for Fortnite. And at a certain point, he said, “Dad, I think I’m going to move over to Twitch.” And I was like, “Okay, why?” And he’s like, “Well, I think you can make a lot more money there.” So, it’s a very interesting one, but just the fact that this code was available, that somebody was able to breach the system. It’s got to be viewed as a black eye on the part of Amazon, and their ability to secure this data. Because this streaming platform, it’s not something that’s widely used by adults around the world. It’s kids.

And, I know when you look at a platform that has kids tagged to it, and go back to earlier this week with Facebook saying that they were walking away from their plans for now for, call it like, Kidsta, kid’s Instagram out there. That’s a really dangerous thing because, the younger kids are when their personal data gets out there and their behavioral data gets out there, the way they choose passwords, when they’re online, when they’re located, who their friends are, the younger that happens, the more likely they are to be targeted through phishing attacks and social engineering attacks later in life. And, that’s a legacy that we just cannot pass on to the kids. It’s just, it’s not fair to them. And, I definitely, I look at Amazon and I go, “Guys, this is on you. You let this happen.”

Shelly Kramer: And, quite a few people mentioned that. And, according to Amazon, Twitch had a misconfigured server, it was accessed by an unauthorized third party. And, Amazon has made it clear that this breach has nothing to do with the security of its AWS cloud server. And as you said, the reality of it is Amazon owns Twitch, and one of the things that we talked about earlier before we started recording this show is that one of the things that Amazon does in many instances, is keep things fairly siloed. Like its Whole Foods business is separate from this, is separate from this, but the reality of it is, is that things sometimes aren’t silos, shouldn’t be siloed. And, one of the knocks against Amazon here was that had you had more control over this, had you, AWS been paying more attention to this, you could have perhaps avoided and, or mitigated this. And so it is, you can’t divest yourself entirely from this when this is a platform that you own.

Fred McClimans: Absolutely. And, I’ll make it very clear. I mean, and we’ve seen this, Shelly, in a lot of the primary research that we do at Futurum, where we look at the type of threats that enterprises are facing, and their concerns, and the mitigation efforts that they have to put in place. Particularly with cloud providers and some of the hyperscalers like Amazon, that are just massive in their cloud infrastructure and their market penetration. Misconfiguration of servers happens all the time. So for Amazon or anybody to say, “Look, it’s not a security issue. We weren’t hacked.” I’m sorry. I call bullshit on that. You opened the gates, you misconfigured something and you allow a security breach to occur. That’s on you.

Shelly Kramer: You know what? It is, actually. We will close this part of our conversation by saying if you’re a Twitch user, if your kids are Twitch users, this breach is still being investigated. There’s still a lot that we don’t know. And while it doesn’t appear that unencrypted password information was part of this data dump, it is recommended that Twitch users turn on two-factor authentication just to be safe. So if that’s you, if that’s your kids, please make sure to do that. It could be important. So, there we go.

About the Author

A serial entrepreneur with a technology centric focus, Shelly has worked with some of the world’s largest brands to lead them into the digital space, embrace disruption, understand the reality of the connected customer, and help navigate the process of Digital Transformation. Read Full Bio.