An unknown hacker released all of Twitch’s source code this week in a 128 GB amount of data. The hacker, who called himself “Anonymous” on a 4chan discussion forum, said the Twitch community was “a disgusting, poisonous cesspool, and to create more unrest and competition in online video streaming, we pwned it all over publish the source code of almost 6,000 internal Git repositories in the first part. Jeff Besos paid $ 970 million for it, we’re giving it away for FREE. #DoBetterTwitch. “
Twitch andwho owns the company did not respond to requests for comment. They gave a brief explanation in which they confirmed that a security breach had occurred and promised to post updates in due course.
Twitch is one of the largest gaming platforms in the world with an average of 15 million daily users and more than 2 million Twitch authors broadcasting monthly. In 2020, more than 18 billion hours of Twitch video were streamed.
The Malwarebytes Labs team took a closer look at the current data leak on Twitch and provided important information for Twitch users. Owners of a Twitch account should therefore perform some security checks. There have been several reports that the website has been compromised.
Twitch has not yet confirmed the data leak. However, several people have reiterated that the leaked data, which includes streamers’ sales figures, matches the actual data.
A 128 GB torrent was published on the 4chan website. The poster claims the torrent contained all of Twitch’s data, including source code for desktop, mobile and console clients, streamers’ sales over the past three years, and various data about Twitch technology such as internal security tools.
The leak is marked as “Part 1”. The current data doesn’t seem to have any passwords or similar data, but these could be in the next few chunks. In the meantime, Malwarebytes strongly recommends Twitch users to take some steps.
Users should therefore log into their Twitch account and change their password. If you have used the password with other services, you should change it there as well. In addition, it makes sense to activate two-factor authentication on Twitch if the users are not already using it.
There is a small possibility that no passwords have been hacked. There is still no conspicuous activity by the “usual suspects”. However, it is also possible that the stolen passwords will only be kept under lock and key until “Part 2” of the data leak is published. It is all the more important to take action now and secure your personal data and accounts.
Christine Schönig, Regional Director Security Engineering, CER at Check Point Software Technologies, comments. “Twitch, the web site that is widely used for streaming, especially by video gamers, has been attacked by an unknown hacker. Sensitive information about different areas of the site and even about the users was stolen and posted on the internet. It’s about 125 gigabytes of data. Even the source code of the platform operated by Amazon should be included, as the media report.
The dangerous thing is that if the source code of a program is leaked, the criminal opens a huge door to find gaps in the system, smuggle in malware and steal sensitive data. We at Check Point therefore urgently recommend all Twitch users to exercise great caution when using this platform in the near future. As a quick reaction, we recommend changing passwords immediately and activating two-factor authentication of the accounts.
This year, our security researchers reported a general increase in cyber attacks of 40 percent compared to 2020. So increased vigilance is currently a particularly good idea. “
The #DoBetterTwitch trend has been on everyone’s lips for weeks as the platform has faced backlash for allowing “hate raids” in which the comment areas of minority players are flooded with insults and abuse. Twitch was forced to raise the issue on a Twitter thread in August and promised to do more to tackle racial abuse.
“This is not the community we want on Twitch, and we want you guys to know that we are working hard to make Twitch a safer place for creators to be. Hate spam attacks are the result of highly motivated evil actors and cannot be easily fixed, ”said Twitch. “Your reports have helped us take action – we have continuously updated our banned word filters to prevent variations of hateful insults and to remove bots when they have been identified.”
Those words did little to calm the outrage, and last month gamers protested and boycotted the site for 24 hours over the company’s inaction regarding “hate attacks.”
The public response to the leak has centered on the massive revenue generated by popular players, which some have run into the millions. In an interview with BBC News, Fortnite streamer BBG Calc confirmed that its earnings in the leak were correct, and other big earners confirmed it.
A significant amount of Amazon business information was also released through the hack, including the company’s plans for a competitor to the Steam gaming platform called Vapor. Others expressed serious concerns about the security of the platform and the many bank accounts associated with it.
Rachel Tobac, CEO of SocialProof Security, warned streamers to ensure their financial services have the strongest Multi-Factor Authentication (MFA) available as they are now becoming the target of other hackers and scammers.
“For streamers with payout data leaked this includes Venmo, CashApp, Bank, etc. If hardware-based MFA is an option, switch to it by the end of the day (although many banks still don’t offer security key options). If the security key is not an option, consider switching to app-based MFA rather than SMS-based, ”Tobac wrote.
“Intruders are said to have leaked Twitch internal Red Team tools and threat models – brutally. If this is true, it would likely also include phishing lures that are known to be successful with Twitch employees, so the Hacking Handbook. If you work at Twitch, be politely paranoid about messages, inquiries, etc. ”
F-Secure researcher Jarno Niemela said password hashes have been leaked so all users should change their passwords and use 2FA if they don’t already.
“Since the attacker has indicated that they have not yet released all of the information they have, every Twitch user should review all of the information they have given Twitch and see if there are any precautions they need to take with it no further private information has been leaked, ”added Niemela.
All of Twitch’s red team’s security measures are now publicly available, giving hackers tons of information on how to break into the company and those around it, she added.
Among the leaked files, the experts concentrated on the folders “core config packages”, “devtools” (developer tools) and “infosec” (information security).
James Chappell, co-founder of Digital Shadows, said that one of Twitch’s internal GitHub repositories was stolen in the attack.
The leaked data was made available via torrents shared as magnetic links. The dataset appears to be extensive. It has also been dubbed “Part 1,” suggesting that more is to come. Although the user data does not appear to be in the archive at the moment, users on the forum are speculating about what might follow, ”said Chappell.