On 5 October 2021, an anonymous user on the 4chan technology board posted claiming to have a large data breach of Twitch proprietary code. Watch our REDSHORT Webinar. The user called out Twitch for being a “toxic community,” ending its post with #DoBetterTwitch (a variation of the trending TwitchDoBetter hashtag responding to the ‘Twitch Hate Raids’).
The post briefly describes content found in leak data, including source code for Twitch and other products and Streamer payout data.
Twitch responds early on 6 October via Twitter, confirming that they have been breached. Later the same day, Twitch announces the cause of the breach as a configuration change.
Additionally, Twitch later wrote on its blog that it had reset all steam keys, “Out of an abundance of caution.”
One of the things Red Sky Alliance reviewed were leaked ‘secrets.’ In this breach, we found 5814 source code repositories. These repositories contained the source code for Twitch’s streaming service, as well as internal tools. 34% of these repositories are active, meaning they have been updated during 2021, some as recent as the 4th of October, the day before the breach was announced by the attacker(s). If we include last year, 2020, then 48% have been active. Our analysts consider the others to be either “unmaintained” code originally developed by Twitch and then abandoned, or part of the core language libraries which we expect to see changed infrequently.
Some of the applications we observed are the iPhone and Android versions of the twitch mobile applications, the twitch.tv website application, and multiple back-end microservices. Attackers now have access to this source code to audit for security vulnerabilities and create exploits.
Hardcoded credentials are usernames and passwords plainly visible in software source code were found in numerous repositories. Also found were API keys for third-party services, including Slack, AWS, SSH keys, and database server credentials.
Some of these secrets are used on production servers to run the company’s software services. Others are used in DevOps automation processes that do 3 things: 1. Test the software before deployment to ensure there are no new bugs; 2. allocate new cloud resources or modify existing cloud resources, and 3. deploy the applications to their production servers. This is essentially the software development supply chain. An attacker who is able to extract credentials used for any of these DevOps elements, can hijack the supply chain or impersonate individual parts of the supply chain, to disrupt the company’s services or inject malware into the company’s software services.
Today’s Internet services are complex beasts. Diagrams like these help developers understand and keep track of how all the pieces fit together. Unfortunately, it also provides a rich source of information to attackers. It details the technologies that the company uses and how those technologies are wired together.
The reconnaissance phase is the first step an attacker takes when seeking to exploit any system. A hacker needs to understand how it works and look for ways to exploit the way it is put together.
It can take weeks, months, or even years for an attacker to construct this level of detail from the outside looking in. But the level of detail seen here (see stolen Twitch whiteboard pics), immensely reduces the amount of work an attacker would need to understand this system. Then, once an attacker knows what technologies are involved they can start looking for known vulnerabilities in those technologies and begin probing the target.
It appears that the Twitch security team was storing this information on the same source code repository server as the application source code. We strongly recommend storing security-related information like this separately from the application source code.
We believe that average users are at a minimal risk due to this breach. Twitch had a fast response after learning about the breach. And that is great. Twitch took steps in quickly identifying the root cause of the breach and protecting user data (other than Streamer revenues). Additionally, Twitch uses strong hashing methods (such as SHA-256 and SHA-512) and strong encryption methods (RSA-2048) when transmitting data.
Twitch also uses a suite of internal security tools. For instance, CredentialChecker can run account and password data discovered in breaches against actual Twitch credentials. They can then pass this on to an internal Passport team, enabling them to take actions to protect the breached accounts.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings