Three days ago a 125 GB leak of Twitch data, including version control history and source code of the Twitch website, associated tools and client software, information about and source code of as-yet unreleased software, SDKs, creator payouts and more, was published on 4chan. You wouldn't be able to blow the doors open on a company more than this, except by posting readily available access keys and literally stealing the locks to their doors.
Within days of the leak, Twitch was also defaced, which might or might not be tied to the leak or information contained in said leak.
What has Twitch's response to this been? Some posts on social media and an email sent to users telling them that "Out of an abundance of caution, we have reset all stream keys." Users haven't actually been informed of a breach having taken place, we still have no idea how this leak happened and Twitch seems intent on playing Russian roulette with the safety of their user's data and accounts.
Excuse me, what?
Seriously, the fact that this kind of a leak happened at all speaks of gross failure to adequately secure the company's data. Unless the leak came from within, the attackers must have gained unauthorized access to the company's version control systems in order to gain access to the source code, and at that point we are extremely lucky IF the attacker didn't also make changes to the software. The fact that so much other data was also leaked indicates that either the credentials of a super-user of sorts were totally hijacked or the Twitch systems are so tightly integrated and access control so poor that one unauthorized entry lead to everything being accessible. Either of those scenarios speaks of failure to establish good security practices and systems.
Even more disgusting is Twitch's silence on the topic. They haven't shared information about how the attack has taken place, what was compromised, what steps users should take to secure their data, absolutely none of that. And I stress: THEY HAVE NOT EVEN ACKNOWLEDGED THE ISSUE TO THEIR USERS. They acknowledged the breach on Twitter, but unless you are following Twitch on Twitter for some reason or kept up with recent tech news, YOU DON'T EVEN KNOW THAT A BREACH HAS TAKEN PLACE. The fact that Twitch has reset stream keys indicates that they believe there is a believable threat that some user details might have leaked, but they aren't telling users to take any steps to secure their accounts, like change passwords, reset or set up two-factor authentication.
My trust in the platform has eroded during these couple of days so much that I decided to completely delete my Twitch account, but even there Twitch showed me a massive middle finger. As it turns out, Twitch will honor your deletion requests, but only after 90 DAYS, which is the maximum amount of time allowed by GDPR for COMPLEX REQUESTS. What am I supposed to take from this? Is Twitch's account and data handling system such a pot of wet spaghetti that locating and deleting my personal and profile information takes 90 days to complete, whereas multiple other sites are able to facilitate such requests in less than a day?
At this point my recommendation would be to consider the Twitch website hostile ground and a security risk to your personal information. At the very least you should make sure that your Twitch password is not reused on other services (you should do this anyway), because due to Twitch's silence and the possibility of the code base having been hijacked, proper trust in the code functioning in intended ways cannot be established.
If you are able, I would highly recommend moving off the platform entirely. If you have technical expertise and want to establish an independent streaming site, I would highly recommend looking into Owncast.
>> Home