Amazon-owned streaming service Twitch confirmed it suffered a huge data breach this week. A “human error” committed when configuring a server created an exploitable vulnerability that led to reams of confidential information being leaked online.
The breach makes Twitch – which employs over 5,000 people – the latest large business to fall victim to cybercrime this year; approximately 5 billion private business records were leaked from businesses between January and June of 2021 alone.
The theft of Twitch’s data is a grim reminder that breaches and attacks are becoming increasingly common and can have devastating effects. This puts even more onus on businesses to protect themselves and the information they hold.
What Was Leaked in the Twitch Breach?
Around 135 gigabytes of Twitch data was published online, including the source code for the streaming service (the foundational element of Twitch’s computer program) and sensitive information detailing how much creators have been paid by the platform.
Some of these financial records date back to over two years ago, prompting some experts to question exactly how long the vulnerability had existed for. Information relating to the streaming service’s security systems and infrastructure was also released online, as well as classified data about yet-to-be-released projects that Twitch is developing.
In a statement posted on the site, Twitch gave little away about precisely how the breach occurred, stating simply that a “server configuration change that was subsequently accessed by a malicious third party”.
Where Was Twitch’s Data Posted?
The data breach appeared on the controversial imageboard 4Chan with the ominous title ‘Twitch leaks part one’, leaving users and creators wondering whether the worst is still to come.
Referencing Amazon’s 2014 acquisition of the platform, the anonymous poster bragged: “Jeff Bezos paid $970 million for this, we’re giving it away FOR FREE.” further comments suggested the leaker was motivated by a disdain for the Twitch community, which they described as a “disgusting toxic cesspool”.
One cybersecurity expert told the BBC that Twitch’s “entire digital footprint” was effectively stolen and published, subsequently suggesting it was one of the most damaging data leaks of late.
How Did Twitch Respond to the Breach?
The company confirmed that “some data was exposed to the internet due to an error” and assured users that the service’s “teams are working with urgency to investigate the incident.”
Twitch said it was “still in the process of understanding the impact in detail”, but wanted “to address [user concerns online] while our investigation continues”, confirming that account login details were not compromised.
“At this time, we have no indication that login credentials have been exposed. We are continuing to investigate” – Twitch statement
The streaming service – which has 30 million daily visitors – has also taken the cautionary step of resetting all stream keys for users. Twitch streamers can find this in the Stream sub-menu in Settings on the Creator Dashboard.
Stream of Large Data Breaches Continues
Twitch’s track record on security isn’t exactly squeaky clean, and Amazon will have to up its game considering Big Tech competitors have also made moves into the gaming market in recent years. Most recently, the platform struggled to contain ‘hate raids’, which involved streamers being spammed by bots spouting hate speech.
But they aren’t alone – according to the Identity Theft Resource Center, the volume of data breaches that have taken place this year has already exceeded that of 2020 with three months to spare. The average cost of a data breach to a US company is now a huge $8.64 million and rising.
Although it’s difficult to find a positive in a data breach, there is one thing Twitch did right that other businesses should take notice of. Twitch does not store full credit card numbers, so there was no risk of full credit card numbers being exposed during this leak.
This is a good security practice – if you don’t need to hold certain information for your platform, business or organisation to succeed, then don’t hold onto it. Another good practise businesses are carrying out to keep their information safe is ensuring employees are using Password Managers, with several providers now able to notify you immediately if one of your passwords is compromised.
Twitch wasn’t the first company to suffer a severe data breach this year, nor will it be the last. The news is, however, a cautionary tale to all businesses holding data. Hacking groups may strike fear into the hearts of CEOs and IT teams across the world – but the frequency of human error is just as terrifying.
