The massive Twitch hack last week was just the latest example of a high-profile breach that has the security industry in a frenzy. Everyone is asking themselves how this could happen, how such a large store of critical data — the source code! — could be taken out without tripping any alarms, how a company with Amazon-level security resources, literally, seemed to find out about the breach only once it started spreading on 4chan.
While security pros wait anxiously to unpack and understand the “part 2” reveal from the hackers, it’s becoming apparent that passwords and user emails are probably coming next, though evidence of this data is already being uncovered by researchers, according to Threat Post.
The PR nightmare for Twitch is only just beginning, and now millions of users’ personal, plain text information will soon percolate among threat actors looking to capitalize on the trove of data released in this hack.
First, it goes without saying that Twitch users need to cycle their passwords immediately and enable multifactor authentication on their accounts if they haven’t done so already; that’s just good security hygiene. Twitch, for its part, reset all stream keys “out of an abundance of caution” and has been able to keep its platform online throughout the crisis. In itself, that’s impressive and notable during such a massive incident.
Ongoing shifts in attack tactics
Beyond the immediately compelling parts of this story — from the enormity of creator payouts to trolling Jeff Bezos — the nature of this attack and the shift toward extortion rather than demanding ransoms is serious and significant.
Breached organizations who’ve lost control of their data no longer have the binary choice of paying for decryption keys or rebuilding from backups. It’s a signal that the calculus for businesses in times of crisis is becoming exponentially more complex when a threat actor’s objective is extortion instead of a straightforward ransomware payout.
Twitch won’t be the last example of this emerging and vexing tactic; one that seems to be gaining momentum.
Staying ahead of the game
I’ll give Twitch the benefit of the doubt and assume it had fairly mature security operations and incident response planning — two elements that companies often woefully underinvest in until it’s too late.
But the situation is a sobering reminder that even when an organization does everything right, there’s still no 100% prevention, and threat actors just have to find one vulnerability to take action. The name of the game, now, is a well-tested, well-documented plan and establishing the response your company wants to have when the unthinkable happens.
Who makes the ultimate decisions? What do you need to shut down and when? Who gets called and in what order? It’s infinitely easier to have these discussions when it’s not a hair-on-fire situation. When the inevitable happens, the company and its response need to be battle tested.
While the full scope of Twitch’s hack remains to be seen, it’s an eye-opening situation that everyone should study as a cautionary tale. Even mature, well-resourced systems can be penetrated, and threat actors are keen to wreak havoc and take control of data without locking it up in ransomware.
Companies must plan and be diligent on process and documentation, and also ensure they’re doing everything possible to detect and minimize the impact to keep themselves protected. They must keep playing an unfair game that’s getting progressively more complicated.