IOTW: Anonymous hacker posts salaries of ‘Twitchers’ to 4chan

Not since 2016 and the Cambridge Analytica revelation has social media been under such fire as in recent days, with FB’s whistle-blower scandal and subsequent (unrelated, but very preventable) outage. And now, Twitch has been targeted by hackers in a similarly avoidable scenario that left 125GBs of individual user and company information up for grabs on 4chan.

The facts

On Wednesday, 6th October 2021, an anonymous 4chan user posted a torrent file containing Twitch’s source code, as well as the earnings data for the past few years for the most popular users of the streaming service – as well as its penetration testing tools and Proprietary SDKs and internal AWS services. The attack has been described as specific and targeted to Twitch, and, according to the site where the story broke, was carried out to “foster more disruption and competition in the online video streaming space” because “their community is a disgusting toxic cesspool”.

Twitch confirmed the data breach and, alarmingly, no human or AI part of the company’s cyber security team picked up on the hack – after protecting its users and source code, this will be the first item on the company’s list for internal improvements.

In response, the Amazon-owned gaming platform has reset all stream keys and advised users via Twitter how to get their new key. If you are a Twitch user, setting up two-factor authentication, if you haven’t already done it, is also advised. As far as all reports from the company so far confirm, however, no log-in details were compromised.

Lessons learned

Twitch has blamed the breach on “an error in a Twitch server configuration change that was subsequently accessed by a malicious third party” – interestingly, a similar reason for Facebook’s recent 6-hour downtime. And while no malicious user was waiting around to pounce on a moment of weakness, both companies are large enough that this probably shouldn’t have happened.

BBC’s technology reporter, Joe Tidy, described it as: “The biggest leak I have ever seen – an entire company's most valuable data cleaned out in one fell swoop.” It will mean Twitch revamping or changing entirely much of its internal security infrastructure and also means that the hacker will have got their wish: competing sites such as YouTube Gaming will certainly be in a position to swoop in and make better financial offers to the big Twitchers now that everyone knows what they’ve earned since 2019. And as with all data breaches, confidence in the company means bad PR and bad PR means a lower “stock value” (while Twitch isn’t publicly traded, Amazon is, and IT-savvy traders will be onto this).

The hacker also made reference to last month’s Twitch-wide user “walk-out”, which was planned and carried out because of hate spam bot attacks to the community’s vulnerable or marginalized users, and the perception that the company, much like Facebook, wasn’t doing enough to tackle hate speech. By using the hashtag #DoBetterTwitch, the hacker was showing that for them, this is still an ongoing issue and perhaps part of the impetus for the attack.

The fix

Both behemoths of social media suffered worldwide embarrassment (and, in Facebook’s case, caused a massive issue for many small businesses), due to simple internal user errors. While an element of error is always at play (and which good data centre managers and CISOs allow for), the risk has been shown to be so extreme and damaging that configuration changes must be looked at closely and taken very seriously.