Just when we thought Facebook’s long downtime would be the biggest cybersecurity news of the week, hackers went in and destroyed Twitch completely, scanning the site’s source code and revealing everything, by how much. the best streamers make (a lot) of the existence of a Steam – like the game client Twitch has in development, codenamed Vapor.
Twitch is still trying to figure out what exactly happened, but as this internal investigation unfolds – and it could very well take a long time, given the scale of the hack – security experts warn of potentially disastrous consequences for the live streaming platform.
“Reading a data breach that includes all of the source code, including brand new software, SDKs, financial reports, and internal red-teaming tools will thrill [the spine of] any hardened infosec professional, “Archie Agarwal, Founder and CEO of ThreatModeler, told the Threatpost blog.” It’s as bad as it could get.
“The first question that everyone worries about has to be, ‘How on earth could someone exfiltrate 125GB of the most sensitive data imaginable without setting off a single alarm? “There are going to be some very difficult questions being asked internally.”
Our colleague Ian Brownhill, chief information security officer at Future, which operates PC Gamer, said the theft of Twitch’s source code could give hostile actors a “massive glimpse” into the systems and infrastructure of the PC. platform, and expose other weaknesses that could allow future attacks. not just against Twitch, but also against its parent company Amazon.
This risk could potentially be heightened if the attackers are ideological, as it currently appears, and not criminal or state. “Monetary rewards are limited, unless a ransom can be extracted,” Brownhill said. “Criminal gangs want credit cards (or PII [personally identifiable information] to a lesser extent) which does not appear to be the target here, or would demand ransoms. It’s not [likely] a nation state – they want the Colonial Pipeline, critical infrastructure type dismantles (or election rigging) – although this all leads to Jeff Bezos, it cannot be completely ruled out. “
Jonathan Knudsen, senior security strategist at Synopsys Software Integrity Group, echoed this point in a statement, saying that access to the source gives attackers the ability to “reverse engineer software applications to understand how they work. “, and that anyone in the world who wants the source code for Twitch can now have it.
“Whatever Twitch does for app security, they need to redouble their efforts,” Knudsen said. “Anyone can now run static analysis, interactive analysis, fuzzing, and any other application security testing tool. Twitch will need to take its app security to the next level, finding and fixing vulnerabilities before anyone can find them. “
But closing security loopholes goes no further when, as Brownhill explained, breaches are often not the result of Hollywood-style high-tech hijackings, but simple exploitation of human fragility, including “l phishing to capture credentials, then move sideways and elevate privileges. [or] action by disgruntled employees. In fact, a “phone phishing attack” is how a Florida teenager was able to hijack dozens of famous Twitter accounts (and steal over $ 117,000) in 2020.
Because of this inherent vulnerability, Comforte AG’s product manager, Trevor Morgan, said companies like Twitch need to focus more on “data-centric” security approaches, rather than spending all of their resources trying prevent hackers from entering. “Threatening actors will enter any perimeter set up to prevent them from entering,” he said. “Protecting the data itself will make this ultimate black market price worthless and mitigate the negative repercussions of a successful hack.”
The good news for Twitch users is that at this point personal data such as usernames, passwords, and credit card information does not appear to be accessible via the leak, although Knudsen did stated that the published data includes hashed passwords. We’ll have to wait for Twitch to confirm the extent of the data loss, but until then, users should at a minimum change their passwords as soon as possible. It would also be a good idea to enable 2FA, and if you have used the same password on other sites, change it in all areas to avoid “credential containment” attacks, where hackers try. to use username and password combinations on a range of different sites. You should also be wary of any request for tracking of personal information.
“This sort of thing can lead to more secondary phishing campaigns,” Brownhill said. “People [may be] claiming to be Twitch offering support / compensation / services to get people to provide more information. “