We're proud to be named a 2024 Publisher's Choice winner!

We're an RSA Conference 2024 Innovation Sandbox Finalist!

A massive breach of Twitch.tv, a popular streaming platform, leaked 128GB+ of documents, including application source code. It’s not the first time. Not too long after Twitch was acquired by Amazon for nearly $1B, they experienced a significant breach in 2014. According to the Motherboard article, evidence of that 2014 hack and the company's response were visible in some of the data leaked in early October 2021.

Despite an all-hands-on-deck effort to investigate the breadth of the attack in 2014, what seems clear today is that Twitch simply wasn’t ready for an attack. Twitch claims that this latest incident was “a result of a server configuration change that allowed improper access by an unauthorized third party.” Many security experts were shocked to see the sheer quantity of information the adversary was able to exfiltrate from Twitch’s internal environment. Generally, such a large theft of information is impossible, as proper breach readiness planning ensures that sufficient safeguards are in place to minimize the fallout from any one compromise. Mitiga’s readiness assessments provide clients with a detailed understanding of how to optimize their current cybersecurity strategy to minimize the impact of a breach.

Adopting a least-privilege model

The first, and most obvious, element lacking at Twitch was adopting a least-privilege model for sensitive data. While the root cause of the Twitch.tv compromise may have been a configuration issue, these kinds of compromises are often the result of adversaries gaining access to employee accounts with access to sensitive data. Organizations can minimize the likelihood of this sort of compromise by utilizing a least-privilege model, where employees have access only to the data necessary to complete their job function.  

Prevent but prepare

A readiness assessment could have helped Twitch reduce the impact of the compromise, whether the source of the issue was a configuration issue or a different problem that allowed improper access to the third party who released Twitch’s source code repository and some of the creator payout data. Configuration issues have also been blamed for the massive Facebook outage that took Instagram, WhatsApp, and Messenger offline for hours on October 4. Scanning for configuration issues and having processes and governance in place to prevent a configuration issue from occurring could help, but nothing, as we’ve seen, is ever 100% secure. Adopting a readiness approach, however, helps an organization ensure that they have reviewed their key assets (sometimes referred to as a crown jewels analysis), analyzed the current state of security, and are collecting the forensic data needed to perform an investigation if an incident occurs.  

Hacktivism and cyberattacks

There has been considerable speculation that this breach was hacktivism, which is when computer-based techniques are used as a form of civil disobedience with the intent to promote a political agenda or social change. Twitch has come under fire for harassment of marginalized creators, resulting in the trending hashtag #TwitchDoBetter, and while they claim to have made improvements, for some hacktivists it may have been too little, too late.  

The 4Chan post announcing the breach claimed that the Twitch community was toxic, the platform was substandard, and that this compromise would give smaller competitors a greater advantage. While the server misconfiguration that allowed the massive breach may have simply been an error, someone was looking for a security hole to exploit to achieve their agenda of making Twitch more accountable to their community — whether the attacker was internal to the company or an outsider, they may well have succeeded in their goals.  

There may be more secrets in the Twitch source code that are disclosed through this breach, further deteriorating trust in Twitch for both their streamers and their community. A breach this significant may give smaller competitors a greater advantage, not only due to the breach, but the disclosure of internal processes that further harm the company’s relationship with its community.  

In some cases, people reach out privately to streamers on Twitch to prove their credentials before talking live on stream with the streamer. For example, they may state, “I work at Facebook, here’s my take on the outage.” If such messages are broadly exposed, people will be reticent to talk to streamers on the platform, effectively killing a lot of the productions on Twitch.  

Also worth noting, however seemingly trivial, are the ancillary scandals, such as “golden kappa.” On Twitch, streamers were told that each day a streamer is randomly chosen, and that person’s viewers get a special golden emoji (specifically a “kappa” emoji) to use while interacting via chat. This golden kappa emoji is very encouraging to small streamers, because being the selected person can increase viewership, participation, and help them build a consistent audience.  

Unfortunately, the source code showed that this “random” process is not random at all — in fact, a group of employees can choose who to give the coveted golden kappa to each day. Some streamers expressed significant anger and mistrust in Twitch because they've hoped for years that they’d be randomly selected in time. Now that they know employees can choose whomever they want to receive the golden kappa, employees have undue influence on who gets famous on the platform. This further erodes the trust in the Twitch platform, adding another devastating layer to the data breach.

How can Twitch minimize the damage?

Now that attackers have access to the Twitch source code, they have a significant advantage. They can simply leverage any secrets that appear in the source code (which is bad practice, but has certainly happened before) or identify vulnerabilities in the applications (which is much easier to do if you have the code available). There must be masses of potential criminals inspecting the source code right now, trying to find a way to leverage security gaps to attack. It's extremely likely that they will find new attack vectors and try them.  

As a response to this breach, Twitch should take the following steps:

  • Identify the source of the leak. This type of data breach is likely from an employee-originated source (many opinions so far concur). The original torrent link to 4chan called it part 1. It is uncertain what else the hackers could be holding back, but if more private data (such as chat messages, support emails, and similar information) is leaked, it could permanently harm people’s trust in the platform
  • Look for known vulnerabilities in their code that might not have been prioritized and fix them ASAP.
  • Invest immediately in looking for other vulnerabilities in the code.
  • Reduce the bar for the security operations center (SOC) alarms - they need to be more focused now and expect attacks to increase.
  • Run compromise assessments and hunts to find new vulnerabilities and attacks early on.

This advice is good for any organization that experiences a similar type of data breach. Now that the application source code is released, it’s time to focus on minimizing the damage.  

Twitch has emerging competitors, all battling for attention (Mixer, YouTube Gaming). The long-term effects of this breach may provide other platforms with the impetus they need to gain market share from an unhappy community of streamers and users who no longer trust Twitch to protect the application, user data, or even their own reputation.

Ransomware Readiness: Protecting Your Enterprise Against Today's Most Dangerous Cyberthreats


May 4, 2024

Don't miss these stories:

Mitiga Wins Global InfoSec Award for Cloud Threat Detection Investigation & Response (TDIR)

We’re proud to report that at the open of today’s RSAC24, Mitiga was awarded the Publisher's Choice Cloud Threat Detection Investigation & Response (TDIR) from Cyber Defense Magazine (CDM), the industry’s leading electronic information security magazine.

Here's Why Traditional Incident Response Doesn’t Work in the Cloud

Traditional incident response (IR) learned from on-premises investigations doesn’t work in the cloud. Today's threat actors are finding misconfigurations and vulnerabilities to allow them to penetrate cloud environments.

Why Did AWS Replace My Role’s ARN with a Unique ID in My Policy?

After several years of working with AWS, IAM remains one of the most frequently used services in my daily routine. Yet, despite my familiarity with it, a recent production incident taught me that there’s always more to learn.