By Dave McKay | October 7, 2021
Entire Source Code Base Stolen and Posted Online
The term a massive breach doesn’t quite describe what took place at Twitch, Amazon’s streaming platform. Twitch announced the breach on Twitter on Oct. 6, 2021.
The amount of data is staggering—around 125GB—but the scope of its content is truly astonishing. The hackers stole:
- All of Twitch’s source code. All of it. Every piece of software they’ve written in-house.
- Remuneration details for their content creators.
- The code for the Twitch clients on all platforms: mobile, desktop, and consoles.
- Internal development tools and details such as private SDKs and AWS services.
- Other Twitch assets such as IGDB and CurseForge.
- An in-development Steam competitor, codenamed Vapor.
- Security tools used by Twitch employees to simulate attacks, to allow Twitch to improve their cybersecurity shortcomings. Oops.
A link to download the stolen data was posted on 4Chan.
Amazon purchased Twitch in 2014, but it doesn’t look like Amazon’s security policies were forced downstream into Twitch’s processes. it is reported that the following issues were identified:
- Twitch didn’t develop any measure to counteract internal threats
- Every engineer had access to the entire code repository
- Twitch hadn’t adopted Amazon’s security measures when they were bought in 2014, they stuck with their own much weaker ones
A Twitch engineer:
“No other company has this level of facepalm…"
Having their cybersecurity test tools stolen is a particularly low point in this catastrophe, and may be embarrassing. But the damage that could occur as a result of their proprietary code—all of it!—being released to the world is almost incalculable.
Heads, as the saying goes, will roll. And probably, quite a few of them.
Source: Platformer