This is like ‘KFC losing its secret recipe’
A breach at Twitch, the Amazon-owned service that specializes in video game live streaming, has exposed the apparent earnings of e-sports stars and other sensitive information.
The hack and subsequent leak of data has revealed source code, internal tools, and hashed user passwords. The leak also reportedly spilled data on a prototype competitor to the Steam platform, codenamed Vapor, from Amazon Game Studios.
Anonymous attackers leaked a 125 GB torrent featuring Twtich source which they publicised through 4chan. The leak was designed to “foster more disruption and competition in the online video streaming space”, the attacker claimed.
In a statement on its official blog, Twitch confirmed the hack on its systems while attempting to downplay users’ potential concerns about the impact of the breach.
We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party. Our teams are working with urgency to investigate the incident.
Even though it had “no indication that login credentials have been exposed”, stream keys have nonetheless been reset as a precaution. Twitch’s investigation into the breach is ongoing but it has assured users that it doesn’t store full credit card numbers on its systems.
The cause of the high-profile breach remains unclear, but is subject to speculation among security experts on social media. One credible but unconfirmed theory, based on forensics on the Twitch source code, posits that it came from a compromised Amazon S3 bucket.
John Vestberg, CEO of Clavister, commented: “Twitch’s most valuable data is now out in the open. Akin to KFC losing its secret recipe, what made its offering unique is now available to its competitors.”
Jarno Niemelä, principal researcher at F-Secure, said: “As password hashes have leaked, all users should change their passwords, and use 2FA if they are not doing so already.
“But as the attacker indicated that they have not yet released all the information, anyone who has been a Twitch user should review all information they have given to Twitch and see if there are any precautions they need to make so that further private information isn’t leaked.”