The streaming platform has been hacked to the core, and you need to enforce 2FA and change your password pronto …
Popular streaming platform Twitch has been hacked: 125GB of data (including its full source code) and comments; creator payout reports from 2019; mobile, desktop and console clients; proprietary SDKs and internal AWS services used by Twitch; their internal ‘red teaming’ tools; other games that Twitch owns; and user payout information.
The streaming platform has confirmed the leak, and investigations are ongoing.
Technically, anything worth stealing from Twitch has been stolen and leaked: users are advised to turn on two-factor authentication and change passwords to be safe, according to Check Point Software Technologies’ Head of Security Engineering, APAC & Japan, Gary Gardiner.
“Anytime source code gets leaked it’s potentially disastrous. It opens a gigantic door for evildoers to find cracks in the system, (embed) malware, and potentially steal sensitive information. I strongly recommend all Twitch users to exercise caution in the near-term,” Gardiner said.
Another expert, Senior Security Strategist Jonathan Knudsen, Synopsys Software Integrity Group noted that an attacker with ideological motivation compromised Twitch’s systems and published a huge amount of data. This is different from the usual financially driven bad actors: “Organizations should consider all types of threats, from casual opportunists to cybercriminals seeking money to nation states pursuing geopolitical gain.”
Knudsen also commented that organizations must have plans in place for a quick and effective response in the event of any breach: “This response needs to address business continuity (keeping the lights on), customer communication, and recovery. Most importantly, incident response must include a port-mortem analysis to improve defenses.”
With the platform’s source code now exposed, Knudsen concluded that Twitch will need to “push their application security to the next level, finding and fixing vulnerabilities before anyone else can find them.”