Twitch appears to have suffered a devastating hack, with source code for the streaming platform for gamers having apparently been dumped online. Data from 6,000 internal GitHub repositories belonging to the Amazon-owned platform has found its way into the public domain. The names of some of the repositories may indicate the hackers entered through insecure legacy software, a cybersecurity expert told Tech Monitor.
Twitch has since confirmed the leak in a blog post, also detailing the source, which it says was a server configuration change that was subsequently “accessed by a third malicious party.” This will have been due to a mistake made internally says James Chapell, founder and CIO of UK cybersecurity company Digital Shadows. “Someone made an error” he says. “They applied a configuration to this server, which then made it accessible by this malicious party.”
Grabbed Vapor, the codename for Amazon's Steam competitor. Seems to intigrate most of Twitch's features as well as a bunch of game specific support like fortnite and pubg.
Also includes some Unity code for a game called Vapeworld, which I assume is some sort of VR chat thing. pic.twitter.com/4KeeEOspyQ
— Sinoc (@Sinoc229) October 6, 2021
A torrent containing 128GB worth of data purporting to be from Twitch was posted on 4chan bulletin board, which is popular with hackers, on Wednesday. Files analysed so far have included Twitch’s source code, as well as an unreleased Steam competitor from Amazon Game Studios, codenamed Vapor (Steam is an online platform for buying and playing games), and creator payouts from 2019 to the present day. These figures appear to contain the payment details of up to 2.4m streamers.
Twitch hacked: how did the attackers get in?
A clue as to how the hackers managed to infiltrate the internal server in the first place may have already been unearthed. One of the 6,000 GitHub repositories that have appeared is named “git-aws.internal.justin.tv”. Justin.tv was a video streaming platform the company brought in 2011, which has been offline since 2014. It’s server, however, appears to be a central part of the Twitch architecture despite its age, explains Chapell. “Justin TV was one of the predecessor organizations that sort of morphed into Twitch. So [the server is] quite old, it dates back to about 2007, and it’s the original server that Twitch was built on. But the files on this service seem to be relatively up to date so I think it was an active server.”
It is common for legacy software and hardware to be neglected, and it is therefore likely that this may be where the leak originated, continues Chapell: “It is not uncommon for older bits of infrastructure to be less well maintained than more recent bits of infrastructure, and that creates circumstances where mistakes such as misconfigurations can come about more regularly.”
The anonymous hacker claims to have hacked “the entirety of Twitch” including mobile, desktop and video game console Twitch clients, Twitch security operations centre internal red teaming tools and “every other property that Twitch owns”. These claims are currently unverified, as the attacker says what is online at present is just part one of the release. So far no personally identifiable information (PII) has been found in the data.
Chapell says the true extent of the breach may not be known for some time. “With a 128GB file it takes a little while to download over a torrent and this has only been going since this morning, so I doubt anybody has the full archive yet. I think analysis will be ongoing to establish exactly what the full scope of this is.”
The leak appears to be the latest in a long line of attacks on Twitch, which has been suffering so-called “hate raids,” – bursts of bile aimed at streamers by trolls – which often target ethnic minority or LGBTQ+ streamers. After weeks of issues, Twitch users boycotted the site for a day in August, but the platform has yet to act, saying the problems are difficult to solve. The 4chan data dump refers to the Twitch community as “a disgusting toxic cesspool” and uses the hashtag #DoBetterTwitch which features heavily in the online retaliation around the raids.
This may give some insight into the motivation of the leak, says Chapell: “The motivation looks to be extortion, in the sense that this individual seems to be advocating for a decision [for Twitch to stop the hate raids] by doing something serious and threatening to do more,” he says.