The Full Extent Of The Twitch Hack

Nov 29, 2021

Once believed to be indestructible, big tech companies like LinkedIn, Adobe, and even Facebook have succumbed to data breaches, hacks, and leaks in recent years.
The latest of these is the hack of livestreaming site Twitch.
In October 2021, a hacker anonymously published a large torrent file. This file contained confidential information, such as all of Twitch’s source code and content creator earnings. 
Naturally, you may look at the Twitch hack and wonder: If even a big tech firm is vulnerable to cyberattacks, how can I improve my application security to protect against such threats? The solution is simple: effective application security testing.
In this article, we’ll explore the full extent of the Twitch hack and its underlying reasons. In doing so, we will highlight the fatal application security flaw that leads to these cyberattacks and show how you can protect your software against them.

What Happened During the 2021 Twitch Hack?

Although the Twitch hack has made it to the headlines worldwide, the full extent of this hack remains unclear. Both the anonymity of the hacker and uncertainty about the size of the breach have made it difficult to assess the scope of the damage.
Before we delve deeper into what we don’t know about the breach, let’s consider what we do know.
In the early hours of October 6, 2021, a user on 4chan, an anonymous imageboard website, published a 125 GB torrent file. The torrent file was titled “Part One,” suggesting it was the first in a series of subsequent leaks, and contained sensitive data leaked from Twitch, an online streaming service and platform.
A few hours after the initial release, Twitch officially confirmed that the 4chan leak was legitimate.

Twitch Hacks Leak List

So, what exactly did this massive data breach entail?
The short version is that it was the company’s source code through its near-complete repository and the earning data of Twitch content creators.

The more detailed version includes the following:

  1. The complete repository of twitch.tv along with commit history.
  2. The source code for Twitch mobile, desktop, and gaming console apps.
  3. Twitch creators’ earning details over three years.
  4. Twitch’s internal security details and tools.
  5. Sensitive data on IGDB and CurseFrog, other software products owned by Twitch’s parent company.
  6. The existence of an unreleased software by Amazon Game Studios for competing with Valve’s Steam, titled Amazon Vapor.
  7. Twitch proprietary SDK code and internal AWS service data.

At first glance, users may be relieved to see that the data leak doesn’t contain sensitive user data, such as passwords, phone numbers, or addresses.

However, this password security is far from a certainty; the leaks likely contain user data and passwords in the second part. This part has not been publicly released yet. However, we’re still recommending changing your Twitch password and enabling two-factor authentication (2FA) if you haven’t already.

Potential Impact?

The impact of the Twitch hack is difficult to assess, as it primarily is focused on leaking company details rather than user account information. At the moment, at least, the goal of the hack seems to be to disrupt Twitch’s business more than hurt its users.

One thing’s certain, though: this leak has raised alarm bells for several software companies regarding application security testing and quality assurance. After all, if hackers could take down one of the biggest tech companies worldwide, where does that leave smaller companies?

Other than Twitch itself, the leaks hurt Twitch content creators the most. So far, Twitch creator earnings, including revenue from subscriptions, ads, and donations from viewers, have mainly remained confidential. The leak was the first mass data breach where hackers released confidential Twitch earning details to the public.

Twitch continues to have an issue with income disparity, as the gap between the platform’s top earners and the majority of its streamers who struggle to earn through it only continues to grow. Leaking creator earning details highlighted this disparity further and may alienate many of the platform’s users.

In August, the original leaker himself signed off the leaks with the hashtag #TwitchDoBetter, in response to Twitch hate raids earlier this year. Unfortunately, it seems that the Twitch brand image has taken a turn for the worse and may take a while to recover in the public eye due to this leak.

The Twitch Hack: Key Takeaways

So, what exactly went wrong when it came to the Twitch leaks?

While we still don’t know the exact details of the vulnerabilities that the attacker exploited to hack Twitch, the hack appears to result from obsolescence.

Obsolescence risk occurs when a software application uses outdated components in its source code. These components can become vulnerabilities that attackers can exploit.

Earlier this year, the Open Web Application Security Project (OWASP) identified obsolescence risk as one of the top cyber threats and application security risks in the OWASP Top 10 2021, a list of the 10 worst cyber threats that web applications face in 2021. The recent Twitch hack indicates that the ranking seems to be reasonably accurate.

Obsolescence in software application security can result from using one or more outdated components alongside newer ones, leading to holes in the web application’s security. Using unsupported software libraries, discontinued APIs, or outdated Database Management Systems (DBMS) are all risk factors for obsolescence.

Other than obsolescence risk, another risk factor that possibly led to the Twitch leaks is known as A05 Security Misconfiguration. Inappropriate security hardening and insecure application framework settings are common vulnerabilities that may lead to security misconfiguration exploits.

No matter what the cause was, though, without proper application security testing and DevSecOps integration, there’s no surefire way of knowing what kind of vulnerability a software has and protecting yourself against it.

Effective Application Security Testing & DevSecOps

If you’re still with us, you’re probably already convinced that you’ll need a more reliable approach to software application security testing to protect yourself from such cyberattacks and leaks.

That’s where Kiuwan security solutions come in.

Kiuwan is your all-in-one DevSecOps solution for unparalleled application security testing and software composition analysis. A global company, Kiuwan offers an end-to-end application security platform for DevSecOps teams.

Kiuwan’s mission statement is to empower DevSecOps teams to create more secure and robust software safe from cyber threats, vulnerabilities, and exploits.

Kiuwan helps teams build more secure web applications and software with the Static Application Security Testing (SAST) tool and SCA Insights. We’ll briefly go over both here to show you how they can help protect you against leaks such as the Twitch hack.

Static Application Security Testing (SAST)

Kiuwan’s SAST is an automated DevSecOps tool for code scanning.

Simply put, SAST helps you build more secure applications by scanning for security flaws on the fly. Rather than manually checking code for vulnerabilities, SAST takes care of the work for you and automatically scans your codebase for security flaws. The entire process takes minutes on your local machine.

SAST supports over 30 programming languages, including Python, Swift, and JavaScript. It is also easy to integrate with pre-existing DevSecOps tools, as well as repositories such as Github, Bitbucket, and Assembla. SAST code-scanning tools are also available as extensions to your local IDE.

In the case of obsolescence in your code from using vulnerable or outdated code components, SAST will scan your codebase automatically and alert you. This preemptive alert will keep your web application secure from cyberattacks such as the one that targeted Twitch.

What’s more, once you detect any security flaws, you can use SAST to build a custom action response plan to protect your web application against potential cyber threats.

SCA Insights

SCA insights scan your static codebase, libraries, and components to help manage your open-source software risk.

If there are vulnerabilities in your software due to unverified, third-party libraries, SCA insights will alert you to which components are putting your software at risk. In addition, SCA insights are explicitly geared toward detecting threats from open-source components, thereby reducing obsolescence risk.

Kiuwan Insights uses the collective knowledge base built with experts over the years to keep your software code secure. The tool also automatically keeps track of application architecture, dependencies, obsolescence risk, and real-time code quality to help teams optimize their code.

Additionally, SCA insights are frictionless; the tool requires minimal setup. Instead, teams can integrate it and use it straight out of the box.

Final Thoughts

The recent Twitch hack demonstrates that web application security is a serious issue, and even the most experienced organizations with enormous resources are vulnerable to hacks, leaks, and exploits.

To keep your software safe and secure, you need a DevSecOps solution to provide you with the tools and platforms needed to write secure code.

Kiuwan security solutions are your one-stop source for all your web application security needs. Kiuwan SAST and SCA insights are practical tools that can help keep your web application safe from cyber threats with minimal effort.

So whether it’s protecting against obsolescence risk or security misconfigurations, get Kiuwan security solutions today to keep your web applications secure from future cyberattacks!

Get your FREE demo of Kiuwan Application Security today!

Identify and remediate vulnerabilities fast and efficient scanning and reporting. We are compliant with all security standards tailored packages for your team to mitigate your cyber risk within the SDLC.