Last month, Amazon’s Twitch streaming service confirmed that it had been the victim of a significant data breach.
Around 125GB of data (including the source code for the mobile, desktop, and video game console versions, as well as the earnings of Twitch’s content creators) has been released by the hackers to the anonymous messaging-board website 4Chan. The attackers claim that their attack was specific and targeted, carried out in the name of “foster[ing] more disruption and competition in the online video streaming space”.
Unusually the majority of user personal data that has likely also been lost, including passwords and addresses, appears to have been left out of the torrent posted on 4Chan. This would appear to support the Hacker’s claims to have targeted the company rather than its users.
More worryingly however the leak has been labelled ‘Part 1’ on the site, indicating that further releases (some of which will likely include further user information) may be posted in the future.
A (GD)PR Disaster
This episode must be seen as an unmitigated disaster for Twitch and Amazon.
The breach been described by some commentators as unprecedented in scope; Joe Tidy, the BBC’s cyber security reporter, assert it to be “the biggest leak [he has] ever seen – an entire company’s most valuable data cleaned out in one fell swoop.” Twitch has also famously fiercely guarded its operational details, such as how much its streamers are paid. The leak has provided to its ever increasing number of competitors an opportunity few thought available.
Indeed Twitch now faces the dual agony of the reputational damage that naturally comes with a data breach of this magnitude and the possibility of a watchdog investigation. Rather damningly, knowledge of the breach was first made public by the hackers themselves, rather than Twitch or its parent company Amazon.
Amazon must review its information security landscapes. Matt Sanders, writing in the Digital Journal suggests that “organisations storing personal information must ensure that data protection is of the utmost priority and must implement real-time monitoring and clear visibility to detect and neutralise security threats”. Personal information security is inherently intertwined with information security and a failure of the latter will always effect the former.
It is possible that many content creators and users will simply opt to join other rival platforms. Twitch and other video-sharing platforms (VSP) have also found themselves facing criticism from Ofcom in recent weeks regarding their protection of younger users from inappropriate content.
This reputational damage will be magnified if further personal information, such as user login details and addresses are leaked as part of further data releases. Considering the interrelated nature of our online accounts, the loss of any password may provide malicious actors with a skeleton key for further accounts. This may also incur the maximum scope of fines that the GDPR can levy.
Despite this, Twitch currently remains one of the most prominent actors in the live-streaming and gaming landscape. Questions remain regarding how such a vast amount of crucial infrastructure data was accessed and whether Amazon/Twitch were aware that it had been stolen in the first place.
If it is found that any user personal information was also stolen (as is likely to be the case) Twitch could face legal action in relation to GDPR infringements.
Tacita recommends that all Twitch users reset their current password and look to implement two factor authentication on their accounts.