Follow us

Twitch is rejecting consequences of the recent leak

The update claims that login credentials or card numbers were not exposed

Published: October 21, 2021 By Ozair Malik

Image of a game streamer on TWITCH

Image source – pixbay.com

What happened in actual?

On the 4chan discussion forum, an unidentified 4chan member posted a torrent link to a 128GB file; the disclosed archive comprises sensitive material robbed from 6,000 private Twitch Git repositories.

The leaked download contains sensitive material stolen from 6,000 internal Twitch Git repositories, according to an anonymous 4chan user who posted a torrent link to a 128GB file on the 4chan discussion page. The leaker shared the data in response to harassment raids targeting Twitch streamers this summer, who used the hashtag #DoBetterTwitch.

The streamers used the same hashtag in August to give proof of the hate raids that targeted them on Twitter when the platform's chat rooms were swamped with offensive messages.

The Message Published by Leaker

Their community is also a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them, and in part one, are releasing the source code from almost 6,000 internal Git repositories.

Leaker’s statement

What does that anonymous user's Thread contain?

According to the anonymous user's thread, 'twitch leaks part one,' the archive contains:

  • The whole history of Twitch. Tv, with commits dating back to its inception.
  • Clients for mobile, desktop, and video game consoles.
  • The platform uses a variety of proprietary SDKs and internal AWS services.
  • Twitch owns everything else, including IGDB and Curse Forge.
  • Amazon Game Studios' unpublished Steam competitor.
  • Internal red teaming tools at Twitch SOC (lol).
  • As well as the creator payout reports from 2019 to the present.

But, the Official Statement from TWITCH confirmed that only a small number of people were affected, and login credentials or card numbers were not exposed.

Root Cause!

According to the update, users' or streamers' login credentials or full payment card data were not exposed.

The incident was caused by a server configuration change that allowed an unauthorized third party to get improper access. Twitch passwords were not disclosed.

According to the firm, and systems storing Twitch login credentials, which are hashed using bcrypt, were not accessible.

Updates from TWITCH

Here are some updates from Twitch related to the recent incident resulting from a server configuration change that allowed an unauthorized third party to get improper access.

Twitch passwords have not been exposed. We are also confident that systems that store Twitch login credentials, which are hashed with Bcrypt, were not accessed, nor were full credit card numbers or ACH / bank information. The exposed data primarily contained documents from Twitch’s source code repository, as well as a subset of creator payout data. We’ve undergone a thorough review of the information included in the exposed files and are confident that it only affected a small fraction of users and minimal customer impact. We are contacting those who have been impacted directly.

TWITCH official Statement

According to the company, a misconfiguration of one of the company's servers resulted in the data being exposed online. Twitch gave an update on their inquiry today, announcing that all stream keys have been reset as a preventative measure.

Customers may need to manually update their broadcast software with this new key to start their next stream, depending on the broadcast software they use:

  • Users of Twitch Studio, Stream Labs, Xbox, PlayStation, and the Twitch Mobile App should not need anything to make their new key work.
  • Users who have connected their Twitch accounts to OBS should not need to do anything else.
  • Users who haven't linked their Twitch account to OBS will have to manually copy and paste their stream key from their Twitch Dashboard into OBS.
  • Please refer to the individual setup instructions for your program of choice for everything else.

According to the company's security department, they discovered that data was exposed to the internet due to a Twitch server configuration modification error, which a hostile third party then accessed.

Their teams are striving to investigate the issue as quickly as possible. They are still trying to figure out the whole impact of the probe, which is still ongoing.

They recognize that this scenario has raised some issues, and they'd like to address a few of them now while their investigation is ongoing.

They have no evidence that login credentials have been leaked at this time. They're still looking into it.

Furthermore, because Twitch does not keep complete credit card data, full credit card numbers were not disclosed.

VGC and its part in this Incident

According to VGC, the leak was justified since it would "promote further disruption and competition in the online video streaming industry."

According to VGC, the files posted on 4chan are publicly available to download as described by the unidentified hacker.

The leaked data, including the source code for Amazon's streaming platform, is real, according to an anonymous company source, according to VGC.

According to the source, Twitch is aware of the hack internally, and the data was likely stolen as recently as Monday. Twitch has been contacted for comment, and we will update this story whenever they respond.

This is the company's first official comment following reports of a massive data breach (via VGC).

Vapor – A service under development

According to reports, the leak also disclosed the existence of a service named 'Vapor,' which appears to be an Amazon Games Studio competitor to Steam that would be integrated with Twitch. Amazon and Amazon Games Studio have yet to respond to the leak's specifics.

Your steps towards Security during Major Breah!

With such a significant breach, you should change your Twitch password - and any other passwords related to the account - right now.

Turning on two-factor authentication with your Twitch account is also a good idea, as it ensures that any attempt to log in will be notified via your phone.

Automatically and immediately reset your password and first and last name on Twitch. Tv is also a good idea, as Twitch will ask you to update those details soon. You can do that on Twitch's website or via the "My Account" menu button at the top right of the page.

You should never use the same password as you used on other sites, as well as accounts with little security, like Hotmail accounts. This is because data breaches are becoming more frequent, and hackers are getting increasingly sophisticated ways to steal data.

Twitch, the video game broadcasting service currently used by many eSports fans, has recently fallen victim to data breaches. Before this incident, some 1.7 million users had their account details stolen in this type of incident, which occurred in late October 2015.

It seems that this information was stolen from other sites the attackers hacked into. The hacker group's tweets indicate that they gained access to these other accounts via impersonating moderators on gaming forums and then using phishing emails to harvest email addresses for their purposes.

Conclusion

This article is an evaluation of the statement made by Twitch. Twitch apologizes for the security issue but claims that no payment information was compromised. Security researchers, however, disagree.

After the recent Twitch security breach where hackers accessed information for many accounts, many users are now worried about their data being compromised or stolen.

This article covered the whole scenario of the incident from start to finish. In summation, the events involved a hacker gaining remote access to Twitch user accounts through a security flaw of their website.

The hacker obtained information from thousands of Twitch users, had access to their accounts, and attempted to sell this information for profit.

This incident is not an isolated situation of a hacker hacking a website and obtaining data illegally.

There have been numerous instances of hacks on many different websites that have successfully hacked into our private information.

Tags: 
News
Author
Ozair Malik
A passionate Cyber Security researcher and writer with a keen interest in Digital Forensics. A community worker running a insta blog to raise cybersecurity awareness among laymen.

Leave a comment

click to select