by: Florian Riederer
2021 continues apace with more high-profile and disruptive data breaches. Last week’s confirmed breach and leak of 125GB of data from the streaming platform Twitch, marks a new headline grabber that attracts the attention of people outside of the cybersecurity world. By far the most reported aspect of this breach was the leaking of streamer’s earnings.
However, the data breach also released other information that is more relevant to Twitch’s future security outlook and business operations. These include files on the website source code, and folders appearing to contain information on Twitch’s internal development and information security tools. Data was also leaked about additional products Twitch has in development. The data that can be expected to have the most direct business impact is the leaking of information regarding a gaming distribution service that looks to compete with Steam and Epic Games.
While security through obscurity is not worth much, this degree of publication increases the possibility that future threat actors will discover exploitable vulnerabilities. At this time, it’s impossible to say to what degree this threat will come to fruition, but the security team at Twitch will certainly be put under strain by the necessary remediation work. The good news is that it does not look as if users’ log-in details, or credit card information have been compromised, so individual users should be spared from follow-up attacks looking to capitalize on the revealed details.
It’s a truism in our field that the question is not if a breach will happen, but when and how severe it will be. Based on some of the reporting I read for the write-up, the management culture at Twitch was apparently happy enough to let one happen sooner rather than later. Anonymous sources speaking on the security culture at Twitch spoke about the company’s reliance on third-party tools, ineffective and insufficient auditing, and failures to revoke access after individuals left the organization. That indicates a broad attack surface that could have been effectively addressed by standard endpoint protection and access management.
Maybe Twitch made the intentional choice that the risks and costs of a breach were lower than the effort and technology needed to mitigate them. Since we don’t know the full extent of the breach yet, and the future security risks caused by their leaked source code, it is impossible to evaluate from the outside. But it is an important reminder that we need to have an intentional, well-thought-out strategy to handling cybersecurity risks. If you want to pursue a proactive strategy, our experienced team will be able to help and advise you. Get in touch with us at firstname.lastname@example.org if you want to learn more.