Just ask Twitch. The livestreaming service for video gamers, esports, music and other content fell to hackers.
It was acquired by Amazon in 2014 for almost a billion dollars.
Hackers broke in and stole 135 gigabytes of data. This includes all of the source code to the platform, transaction data, userids, passwords and other information.
It appears that the passwords were NOT encrypted.
The data has already been posted in multiple places in the hacker underground.
It is not impressive that a company like Amazon would allow a subsidiary to store personal information this way, but apparently, they did.
Among the data stolen was the source code to a gaming platform designed to compete with Steam and information about how much (and who) the highest paid content creators were being paid.
Worse yet, the hacker, who may have had a vendetta against Twitch, said this 125 gigabytes of data was part 1.
How many parts are there? What is going to happen next?
One obvious problem for Twitch is that now that all of their source code is public, hackers will be combing through it to find vulnerabilities and given what we know so far, there are vulnerabilities.
If you are a Twitch user, you should immediately change your password and enable MFA.
Twitch said: We can confirm a breach has taken place,” and “Our teams are working with urgency to understand the extent of this.”
I bet they are :).
Google searches for how to delete Twitch were up 800%. Kind of like locking the barn after the animals got out.
Users of Twitch, the world’s biggest video game streaming site, staged a virtual walkout last month to voice outrage over barrages of racist, sexist and homophobic abuse on the platform.
The phenomenon of “hate raids” — torrents of abuse — has seen the platform become increasingly unpleasant many for Twitch streamers who are not white or straight.
Twitch says that they are working on fixing that. Oh, and they are suing some of their customers for organizing the hate raids.
Credit: Security Week
One source is reporting that the following items were among what was stolen:
- Entirety of Twitch, with its Git commit history going all the way back to early beginnings
- Payouts for the top Twitch creators
- Every property that Twitch owns, including IGDB and CurseForge
- Mobile, desktop, and video game console Twitch clients
- Proprietary SDKs and internal AWS services used by Twitch
- Every other property owned by Amazon Game Studios
- Twitch internal security tools
We are seeing conflicting reports from different sources about userids and passwords. It is possible that they were or were not stolen and the conflicts may be due to what piece of the data each source saw.
One poster on 4Chan says the leak was done to foster more competition in the online video streaming space because Twitch is a “toxic cesspool”. While competitors won’t use Twitch’s code directly, they certainly might check it out for ideas.
Some sources said the hackers got in via a misconfigured server, but I would suggest, the problem goes deeper than that. Much deeper. How comfortable are you that hackers could not steal all of your crown jewels?