Home SecurityData Breach Twitch breach highlights dangers of choosing ease of access over security

Twitch breach highlights dangers of choosing ease of access over security

No company wants to see its crown jewels exposed to the elements, yet this is what happened to the Amazon-owned online streaming platform Twitch on October 6 when 125GB of its data was posted on 4Chan.

Twitch, via a Tweet, acknowledged the breach, “We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.” In an October 6 blog post, the company blamed “an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.” Thus, Twitch pointed the finger for the posting of the 125GB of sensitive internal information to an external third party and not toward a malevolent insider.

What exactly went out the door and onto 4Chan? According to Video Games Chronicle, which first reported on the breach, the following data sets were exposed:

  • The entirety of Twitch’s source code with commit history “going back to its early beginnings”
  • Creator payout reports from 2019
  • Mobile, desktop, and console Twitch clients
  • Proprietary SDKs and internal AWS services used by Twitch
  • “Every other property that Twitch owns” including IGDB and CurseForge
  • An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios
  • Twitch internal red-teaming tools

The service forced an update of all users’ stream keys on October 7. Since then, it’s been radio silence on the Twitch blog front.

The importance of least-privilege access

The misconfiguration of a server, leaving a direct pathway to the unprotected crown jewels of Twitch, raises questions surrounding the basic concepts of least-privilege access. Cymulate’s cyber evangelist David Klein observes how it is not a good idea for CISOs to “have everything, including source code, accounting records to streamers, encrypted passwords, and unreleased projects to compete with Valve/Steam accessible. This is bad. Basic least privileges for administrators, internal segmentation, and understanding where your data is and who has access are of paramount importance.”

From the distant lens that we share from the outside looking in, questions CISOs should be asking themselves include:

Copyright © 2021 IDG Communications, Inc.

Source link

Related Articles

Leave a Comment