Since the Twitch data leak of around 125GB of information security experts have been weighing in on the situation.
Archie Agarwal, founder and CEO of ThreatModeler, which tests and assesses possible cyber security breaches, shared his concern over the leak with ThreatPost calling it “as bad as it could possibly be.”
“Reading of a data breach that includes the entire source code, including unreleased software, SDKs, financial reports and internal red-teaming tools will send a shudder down any hardened infosec professional”.
Agarwal and several other security experts were shocked by the data breach which occurred on Wednesday October 6, and was confirmed by Twitch on twitter.
We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.
— Twitch (@Twitch) October 6, 2021
While no user information has been leaked in the huge torrent posted to 4chan, Agarwal “almost guaranteed” that user information was collected in the hack which was leaked and titled “part 1″ on the anonymous forum.
The attacker, who claimed he was motivated by a desire to ‘foster more disruption and competition in the online video streaming space” stemming from their belief that the Twitch community is ‘a disgusting toxic cesspool”, appears to be morally rather than financially motivated. However, it would be wise for users of the service to still act with caution.
Considering that passwords were almost certainly included in the breach it is important to act immediately. Jarno Niemela, principal researcher for F-secure, a company offering cyber security solutions, advised that while passwords are yet to be leaked users should act fast.
“From what we currently know…password hashes have leaked, all users should obviously change their passwords, and use 2FA (two-factor authentication) if they are not doing so already”.
Agarwal went on further to advise users they “will have to take the usual precautions of changing their account credentials and making sure they don’t use the same combination of credentials to access other services online”. As Twitch users often have their accounts linked to PayPal, it is vital that users also change their passwords here to secure this connection.
James Chappell, co-founder and chief innovation officer at Digital Shadows, a digital risk solution provider, was concerned that a further leak containing user information could be coming. He also had some general advice to offer users of any media platform.
“As the attacker indicated that they have not yet released all the information they have, anyone who has been a Twitch user should review all information they have given to Twitch, and see if there are any precautions they need to make so that further private information isn’t leaked”. This should include reviewing third party apps and accounts which are linked to your Twitch account.
He further advised people “while it won’t help in this case, as data has already leaked, users should always be cautious on what kind of information they provide to any social-media platform.”
Security awareness advocate at KnowBe4 Javvad Malik, also shared his concerns for Twitch users in the future, warning people that not all of the attacks based on the information which was leaked will “come immediately.”
“Criminals can use the data within the leak to formulate convincing phishing attacks over weeks or months. So it’s important for Twitch users to remain vigilant of emails, text messages, physical letters or even phone calls claiming to be from Twitch, or a related service.”
In other news, Randy Pitchford is no longer Gearbox Software’s CEO – but will still run parent Gearbox Entertainment. Replacing him will be 22-year veteran at the company Steve Jones.