Just when we thought that Facebook's lengthy downtime would be the biggest cybersecurity news of the week, hackers went and absolutely bulldozed Twitch, swiping the site's source code and revealing everything from how much the top streamers make (a lot) to the existence of a Steam-like game client Twitch has in development, codenamed Vapor.
Twitch is still trying to figure out what exactly happened, but while that internal investigation unfolds—and it could very well take a long while, given the scale of the hack—security experts are warning of potentially dire consequences for the livestreaming platform.
"Reading of a data breach that includes the entire source code, including unreleased software, SDKs, financial reports and internal red-teaming tools will send a shudder down [the spine of] any hardened infosec professional," ThreatModeler founder and CEO Archie Agarwal told the Threatpost blog. "This is as bad as it could possibly be."
"The first question on everyone’s mind has to be, 'How on earth did someone exfiltrate 125GB of the most sensitive data imaginable without tripping a single alarm?' There’s going to be some very hard questions asked internally."
Our colleague Ian Brownhill, information security director at Future, which operates PC Gamer, said the theft of the Twitch source code could give hostile actors a "massive insight" into the platform's systems and infrastructure, and expose other weaknesses that could enable future attacks—not just against Twitch, but its parent company Amazon as well.
That risk could potentially be heightened if the attackers are ideological, as it currently appears, and not criminal or state-based. "The monetary rewards are limited, unless a ransom can be extracted," Brownhill said. "The criminal gangs want the credit cards (or PII [personally identifiable information] to a lesser extent) which does not seem to be the target here, or would be demanding ransoms. It’s not [likely] a nation-state—they want the Colonial Pipeline, critical infrastructure-type takedowns (or election tampering)—although as it all leads up to Jeff Bezos this cannot be completely ruled out."
Synopsys Software Integrity Group senior security strategist Jonathan Knudsen echoed that point in a statement, saying that access to the source gives attackers an opportunity to "reverse engineer software applications to understand how they work," and that anyone in the world who wants Twitch's source code can now have it.
"Whatever Twitch was doing for application security, they need to redouble their efforts," Knudsen said. "Anyone can now run static analysis, interactive analysis, fuzzing, and any other application security testing tools. Twitch will need to push their application security to the next level, finding and fixing vulnerabilities before anyone else can find them."
But plugging security holes only goes so far when, as Brownhill explained, breaches often aren't the result of Hollywood-style high-tech hijinks, but simple exploitation of human frailty, including "phishing to capture credentials and then moving laterally and escalating privileges [or] disgruntled employee action." In fact, a "phone spear phishing attack" is how a Florida teenager was able to hijack dozens of famous Twitter accounts (and steal more than $117,000) in 2020.
Because of that inherent vulnerability, Comforte AG product manager Trevor Morgan said companies like Twitch need to focus more on "data-centric" approaches to security, rather than pouring all their resources into trying to keep hackers out. "Threat actors will penetrate any perimeter put in place to keep them out," he said. "Protecting the data itself will render that ultimate prize worthless on the black market and blunt the negative repercussions of a successful hack."
The good news for Twitch users is that at this point, personal data like usernames, passwords, and credit card info doesn't appear to be accessible through the leak, although Knudsen said the published data does include hashed passwords. We'll need to wait for Twitch to confirm the extent of the data loss, but in the meantime users should at the very minimum change their passwords as soon as possible. It would also be a good idea to enable 2FA, and if you've used the same password on other sites, change it across the board to avoid "credential stuffing" attacks, where hackers try using username and password combos across a range of different sites. You should also be wary of any followup requests for personal information.
"This kind of thing can lead to more secondary phishing campaigns," Brownhill said. "People [may be] pretending to be Twitch offering support/compensation/services to trick people into handing over more information."