Live streaming service Twitch hacked, stolen data shared on 4chan

Amazon.com Inc.-owned live streaming service Twitch has been hacked and the stolen data has been shared online.

The breach, revealed today, involved 125 gigabytes of stolen data that was shared as a “torrent” to the 4chan forum. The data included the service’s source code, details of an unreleased Steam competitor, internal security tools, three years’ worth of payment details to creators and other code relating to Amazon Web Services services used by Twitch.

The person who shared the stolen data, presumably the same person who stole it, said the data published was only the first release, suggesting that there is more stolen data yet to be revealed. The data did not include usernames, passwords and email addresses.

On 4chan, the person who shared the stolen data suggested that the motivation was a strong dislike of Twitch. “Their community is also a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them,” the person wrote.

Twitch has confirmed that a breach has taken place and that it’s currently investigating it.

We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.

— Twitch (@Twitch) October 6, 2021

What is unknown is how the breach took place.

“Based on the commentary from the user who allegedly leaked the data out on 4chan, this looks like a highly targeted attack,” Hank Schless, senior manager, security solutions at endpoint-to-cloud security company Lookout Inc., told SiliconANGLE. “Without additional details, it’s difficult to speculate how this individual was able to gain access to so much data.”

In other attacks, such as ransomware, he added, an attacker will often acquire legitimate credentials through phishing campaigns, then use those credentials to navigate the organization’s infrastructure. “This attack looks different because it’s not just one service or data type that was leaked — it spans almost every aspect of the Twitch platform, including incredibly private proprietary data,” he said.

James Chappell, co-founder and chief innovation officer at digital risk protection firm Digital Shadows Ltd., noted that the post on 4Chan pointed to a 128GB torrent containing data that appears to have been acquired from one of Twitch’s internal GitHub repositories.

“There appears to be evidence that the original files came from an internal GitHub server, git-aws.internal.justin.tv, was at least part of the breach,” Chappell said. “Justin.tv was the name of a company that eventually transformed into Twitch. It rebranded as Twitch in 2011 — so this looks like a longstanding piece of infrastructure.”

Although user login details have not yet been published, Quentin Rhoads-Herrera, director of professional services at managed detection and response services provider Critical Start Inc., says users are still at risk.

“Twitch’s code being released could potentially be used by malware authors to infect the userbase of Twitch by possibly finding flaws in the applications code,” Rhoads-Herrera pointed out. “This, however, is unlikely as the return the attackers would get is minimal and in my opinion, wouldn’t be worth their effort. This is more of a way to publicly humiliate Twitch and potentially lower the trust the Twitch users may have in the platform and company.”

Photo: Gage Skidmore/Flickr