At a glance.
- Twitch's spectacularly large data breach.
- "Dining out" and the risk it poses to privacy.
Twitch breach update.
As we noted yesterday, live-streaming service Twitch sustained a massive data breach that has even experts shocked by its magnitude. Not only did the hacker nab the platform’s source code, the Verge reports, but also details about leading creators’ incomes, proprietary software development kits, and future Twitch projects. The hacker responsible, an anonymous 4chan user, concentrated on revealing company tools and data, rather than user account info, which aligns with his motive of “foster[ing] more disruption and competition in the online video streaming space.” But considering that the 125GB torrent he released is labeled “part one,” a second act is likely.
Distractify describes the info on streamer payouts as “mind-boggling.” The user xQc earned $752,467 last month alone, and the top earner over the past two years raked in over $9 million, and that’s before donations and sponsorships. Wired points out the leak could put these streamers in the crosshairs for cybercrime. Rachel Tobac, CEO of SocialProof Security, explains, “Even if the streamer payout data is incorrect or has been falsified, cyber criminals could still be more interested in targeting those streamers’ accounts because they know they are extra-confirmed, high-value targets.”
In describing his motives, the perpetrator referenced the platform’s recent string of hate raids, in which chatbots barraged marginalized users with hate speech, sparking the #TwitchDoBetter movement. To its credit, Twitch launched tools to crack down on the harassment and even filed lawsuits against two alleged hate raiders, but some users feel it’s not enough. Streamer Littlesiha told Wired, “It took Twitch two months to find a way to protect marginalized creators that were getting harassed, threatened, and doxed through chatbot raids. Security on the site feels like a joke at this point.”
Indeed, Twitch’s security measures -- or lack thereof -- are under scrutiny. As ThreatModeler CEO Archie Agarwal told PC Gamer, “The first question on everyone’s mind has to be, ‘How on earth did someone exfiltrate 125GB of the most sensitive data imaginable without tripping a single alarm?’” The exposure of source code is especially damaging, as it could expose potential chinks in the armor not only for Twitch, but also parent company Amazon. Jonathan Knudsen of Synopsys Software Integrity Group explained, “Twitch will need to push their application security to the next level, finding and fixing vulnerabilities before anyone else can find them.”
If data breaches are a kind of larceny, and if larceny is conventionally characterized as either petty or grand, then the Twitch data breach would seem to introduce a new category: spectacular. The incident has drawn comment from many industry sources. Tony Pepper, CEO of Egress, notes that breaches are no respecters of size, and that they have sequelae that extend far beyond the organization immediately affected:
“This hack shows that any organization, no matter how large, can be the target of a cyberattack. This hack has exposed highly sensitive operational data, including Twitch’s source code, once again highlighting to organizations the importance of taking the right steps to secure their data. If the hacker’s motivation was to cause significant disruption for Twitch, it looks like they’ll achieve that goal.
"This hack also potentially leaked sensitive user data, including encrypted passwords, which means that Twitch users are also at risk of follow-up attacks, especially for the 65% of people who use the same password across multiple accounts. This breach could be hugely damaging for Twitch and could dent users’ trust in the company’s ability to keep sensitive data safe. We’d advise Twitch users to change their passwords as soon as possible, and to ensure that they’ve enabled multi-factor authentication for additional protection.”
Matthew Meehan, Chief Operating Officer of TokenEx, sees another object lesson in the inadequacies of perimeter-defense as an approach to security:
"Breaches such as this show why traditional perimeter-defense strategies on their own are insufficient for protecting organizations from data theft. In order to keep organizations safe, these controls must function properly 100 percent of the time—even the smallest outage or failure can allow an intrusion and potentially lead to the compromise of sensitive data.
"Our experience in the space has proven time and again that adhering to 'zero trust'—or defense in depth—provides the best framework for successful cybersecurity strategies. Technologies such as tokenization and encryption support this approach by focusing on granular data protection that renders sensitive information inaccessible. By combining them with logging, tracking, access management, and additional security tools—and not focusing solely on perimeter defense—organizations can create a layered security posture that best positions them to fend off cybercriminals and other threat actors."
June Werner, Cyber Range Engineer at the Infosec Institute, runs down what's known so far about the breach, and urges some immediate action on the streaming service's users:
"This morning a 125 GB leak of Twitch's data was made public. This leak includes the entirety of Twitch's source code, the history of the source code, creator payout reports, proprietary development kits, an unreleased competitor to Steam, and internal security tools. This leak also describes itself as "part one", meaning the leakers may have more data that they have not released and are planning to release at a future date. The release of Twitch's source code may make it easier for malicious actors to find exploits on Twitch's platform in the future. The details of what personal data the leakers may have had access to are not yet known, but in the meantime, the best action users of Twitch can take to protect themselves is to change their Twitch password, enable Two-Factor Authentication, and ensure that they are not using their old Twitch password for any other accounts."
Quentin Rhoads-Herrera, Director of Professional Services at CRITICALSTART, offers informed speculation about the hacker's motivation. He, she, or they were apparently hacktivists:
“Twitch’s code being released could potentially be used by malware authors to infect the userbase of Twitch by possibly finding flaws in the applications code. This however is unlikely as the return the attackers would get is minimal and in my opinion wouldn’t be worth their effort. This is more of a way to publicly humiliate Twitch and potentially lower the trust the Twitch users may have in the platform and company.
"If this was RaaS [ransomware-as-a-service] we would have seen encryption events as part of this. Normally those types of groups don’t announce a breach until they have both stolen data and encryption moving throughout the victims network. This sounds like a 'hacktivist,' similar to the group Anonymous and their past hacks on organizations they didn’t agree with or believe were morally wrong, or someone who has hacked Twitch to drive a point across. The loss of revenue, either present or future, Twitch will experience due to their IP being released falls in line with hacktivism and is most likely the motive behind the breach and unfortunately, will also be a result of the attack.
"Additionally, it appears the overall goal was to shame Twitch not harass or hurt its userbase in general. They are trying to push an agenda that Twitch should be banned or blacklisted and their approach to that was through this breach and dumping sensitive company information.
What does all this mean for Twitch? Rhoads-Herrera thinks the damage is largely done:
"Now that the data has been released there isn’t much Twitch can do. They should try and prevent it from being put up on platforms like GitHub, BitBucket, or other popular code/file sharing platforms but the data is already out and will be shared forever through many different channels. What they can do is evaluate exactly what was stolen, reset user passwords that were compromised, and determine the risk to their IP (especially from what was stolen of Vapor which is supposedly going to compete with Steam) and how it will impact their business overall. The largest risk to Amazon’s Twitch is the data that is now freely available to their competitors.
"As a result of this event, Twitch might lose some user following and trust they may have had in their users. The biggest impact is the leaked data that is unique to their intellectual property that could be leveraged by competitors.”
Purandar Das, President and Co-Founder of Sotero, thinks other companies should heed and learn from Twitch's experience:
"Maybe a wakeup call to companies and organizations that think the data they need to protect is limited to customer information. The recent set of activities continue to show two things: all data is important and second that the hackers out there are very sophisticated in technology as well as commercially. They are targeted in the organizations they attack and the information they exfiltrate. In addition, they know how to maximize the commercial value of the stolen data. The point at which these activities will pose an existential threat to entities is here. Organizations have implemented security purely with an eye towards regulation and compliance. The least amount of investment, around a few data categories. The risk is real and much broader. Operational information and intellectual property are at stake. Given the current state of security: dysfunctional, fragmented and selective in capability it is a ripe environment for bad actors."
Would you like a side of user data with that?
The digitization of the restaurant experience, boosted by the pandemic, has diners doing everything from browsing the menu to leaving a tip via app or QR code. But the ease of dining tech comes with an extra helping of security risk, as many of these platforms harvest private user data like financial info, browsing and purchase history, location, and even photos, and sell it to third parties for advertising purposes. The folks at TechRobot examined popular dining apps to determine which ones gather the most user data on their users, and in the UK Caffé Nero came in first, tracking 68% of available user data. It was followed by Paul UK, Domino’s, and Wendy’s, with McDonald’s rounding out the top five. Stateside, restaurant delivery apps topped the list, with Caviar in first at 71%, and Grubhub, Postmates, and Uber Eats not far behind. Sidenote: If you have access to a Slim Chickens, grab your wings there, as they’re one of the few holdouts on harvesting user data.