An unknown hacker has leaked the entirety of Twitch’s source code among a 128 GB trove of data released this week. The hack, first reported by Video Games Chronicle and confirmed by multiple sources, includes:The entirety of twitch.tv, with commit history going back to its early beginnings

ZDNet Recommends

Mobile, desktop and console Twitch clientsCreator payout reports from 2019Proprietary SDKs and internal AWS services used by TwitchEvery other property that Twitch owns including IGDB and CurseForgeAn unreleased Steam competitor, codenamed Vapor, from Amazon Game StudiosTwitch SOC internal red teaming tools The hacker, who called themselves “Anonymous” on a 4chan discussion board, said Twitch’s community is “a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them, and in part one, are releasing the source code from almost 6,000 internal Git repositories.””Jeff Besos paid $970 million for this, we’re giving it away FOR FREE. #DoBetterTwitch,” the hacker added. 
Digital Shadows
Twitch and Amazon, which owns the company, did not respond to requests for comment. They released a brief statement on Twitter confirming that a breach occurred and pledging to release updates at some point. Twitch is one of the biggest gaming platforms in the world, with an average of 15 million daily users and more than 2 million Twitch creators broadcasting monthly.

More than 18 billion hours of Twitch videos were streamed in 2020. #DoBetterTwitch has trended for weeks as the platform has faced backlash for allowing “hate raids” — where the comment sections of minority gamers are overwhelmed by slurs and abuse. Twitch was forced to address the issue in a Twitter thread in August and pledged to do more about racial abuse. “This is not the community we want on Twitch, and we want you to know we are working hard to make Twitch a safer place for creators. Hate spam attacks are the result of highly motivated bad actors, and do not have a simple fix,” Twitch said. “Your reports have helped us take action-we’ve been continually updating our sitewide banned word filters to help prevent variations on hateful slurs, and removing bots when identified.”The words did little to quell outrage and gamers held a protest last month, boycotting the site for 24 hours due to the company’s inaction on “hate raids.” Public reaction to the leak has focused on the massive earnings of popular gamers — which reached the millions for some. In an interview with BBC News, Fortnite streamer BBG Calc confirmed that his earnings in the leak were correct and other high earners backed it up. There was also a significant amount of business information from Amazon released in the hack, including the company’s plans for a rival to gaming platform Steam called Vapor.Others raised severe concerns about the security of the platform and the many bank accounts connected to it. SocialProof Security CEO Rachel Tobac warned streamers to ensure their financial services have the strongest MFA available because they will now be targets for other hackers and scammers.”For streamers with payout data leaked, this includes Venmo, CashApp, Bank, etc. If hardware based MFA is an option, move to that by end of day (though many banks still don’t offer security key options). If security key not an option, move to app-based MFA rather than SMS-based,” Tobac wrote. “Intruders supposedly leaked Twitch internal red team tools & threat models — brutal. If true, this would likely include phishing lures known to be successful against Twitch employees, the hacking playbook. If you work at Twitch, be politely paranoid about messages, requests, etc.”F-Secure researcher Jarno Niemela said password hashes have leaked, so all users should change their passwords and use 2FA if they are not doing so already. “But as the attacker indicated that they have not yet released all the information they have, anyone who has been a Twitch user should review all information they have given to Twitch, and see if there are any precautions they need to make so that further private information isn’t leaked,” Niemela added. All of Twitch’s red team security measures are now widely available, providing hackers with untold information about how to invade the company and those connected to it, she added. Among the files leaked, experts were focused on the folders “core config packages,” “devtools,” (developer tools) “infosec,” (information security). James Chappell, co-founder of Digital Shadows, said one of Twitch’s internal GitHub repositories was stolen in the attack.The leaked data was made available through torrents shared as magnet links. The data set appears to be comprehensive. It has also been labeled as a ‘part 1,’ which suggests that there is more to come. Whilst user data does not currently appear to be in the archive, users on the forum are speculating as to what may follow,” Chappell said. “There appears to be evidence that the original files came from an internal GitHub server, git-aws.internal.justin.tv, was at least part of the breach. Justin.tv was the name of a company that eventually transformed into Twitch. It rebranded as twitch in 2011 – so this looks like a long-standing piece of infrastructure.”Security experts like ThreatModeler CEO Archie Agarwal described the hack as “as bad as it could possibly be” and questioned how someone managed to exfiltrate 128 GB “of the most sensitive data imaginable without tripping a single alarm.” More

One of Brazil’s largest insurance groups, Porto Seguro has reported it suffered a cyberattack that resulted in instability to its service channels and some of its systems.The company reported the incident to the Securities and Exchange Commission (CVM) on Thursday (14), saying that it “promptly activated all security protocols” and that it has been gradually restoring its operating environment and working towards resuming normal business as soon as possible.Porto Seguro did not disclose any further details in relation to the type of attack it has suffered, but noted that so far, no data leakage had been identified in relation to the company, or its subsidiaries, customers or partners, including any personal data. Third largest insurance company in Brazil, Porto Seguro leads the car and residential insurance segments in Brazil and has around 10 million clients across its various business lines including credit provision. The company is headquartered in São Paulo, with subsidiaries in Brazil and Uruguay employing more than 13,000 staff.

The company is the latest of a list of major Brazilian organizations suffering major security incidents over recent weeks. Earlier this month, CVC, one of the country’s largest travel operators, was hit by a ransomware attack that brought its operations to a standstill. Since the attack, reported to CVM on October 2, the company has a banner on its website stating that it has been hit by a cyberattack and that it is “working diligently to mitigate the impact of the incident and ensure business continuity.” At the time of writing, the CVC’s investor relations page, where updates on the incident would have been published, was unavailable. Prior to CVC and Porto Seguro, other major companies in Brazil that were targeted by cybercriminals included retail chain Renner, victim of a ransomware attack that compromised its e-commerce platform for three days in August.

Security teams are in place in less than a third of Brazilian organizations, even though most businesses frequently suffer cyberattacks, according to research published by Datafolha Institute on behalf of Mastercard and published in June. Financial services, insurance, and technology and telecommunications are among the most prepared in terms of cybersecurity readiness, the study has found. Conversely, the education and healthcare sectors are the most vulnerable. According to a separate study, also carried out by Datafolha Institute and published in July, the fear of cyber attacks is high among Brazilian users. The research aimed at measuring the level of concern regarding the security of consumers within data and information exchange environments, and it found that only 13% of those polled consider their data to be very secure, while 21% consider their data to be insecure.In September, the banking sector started discussions with the Ministry of Justice around the creation of a strategy to address crime in digital environments. Goals under the strategy would include the expansion of the set-up around identifying and repressing actors responsible for cybercrimes, as well as the promotion of permanent cooperation between the public and private sectors on the matter and public awareness campaigns on cyber risks and fraud. More

Kerry Wan/ZDNETNetflix wasn’t the first streaming platform, but it was the first to make video-on-demand mainstream. Fourteen years ago, as it phased out its mailing service, it took a massive bite out of the global market.Also: This 30-second fix made my Roku TV run like new again (and why it works)Remember that? Physical DVDs showing up in your actual mailbox — the one at the end of your driveway (or your hallway)? To my surprise, that was still actually a thing up until late 2023. Whaaat?Streaming introduced a slew of new entertainment options and, most importantly, unparalleled convenience. These days, Netflix is one of many platforms that offer a staggering amount of titles to choose from — and yet, there is more there than meets the eye.Did you know Netflix has secret cheat codes?As it turns out, Netflix has a plethora of shows and movies available that you don’t normally see when booting up the app. Our personalized, algorithm-based menus confine us to viewing only a fraction of the entire Netflix library.Also: How to clear your TV cache (and why it makes such a big difference)You can find special cheat codes to unlock more content on resources like Netflix-Codes and the website What’s On Netflix. Either is a good place to start massively multiplying your viewing options. The categories associated with these codes range everywhere from “Deep Sea Horror Movies” (code 45028) to very specific subgenres like “Feel-good Sports Movies for Ages 8 to 10” (code 855).  More

Image: Getty Images
The circulation of election conspiracy theories in Australia has increased with the country set to have its federal election later this year, Australia’s electoral commissioner said on Tuesday night. Appearing before Senate estimates, AEC commissioner Tom Rogers said the uptick in election conspiracy theories mirrored what has been occurring in overseas jurisdictions. Among the conspiracies posted online has been that postal voting is not secure, Rogers said. The AEC commissioner also warned of other election conspiracies, specifically debunking misinformation that unvaccinated people will not be allowed to vote in person.”One [conspiracy] doesn’t seem to go away is that somehow we’re mandating that voters be vaccinated, and that this will deny people the vote,” he said, confirming that people will be allowed to vote in person regardless of their vaccination status. To address the rise in conspiracy theories, Rogers said his agency has been working more closely with social media platforms to quickly remove election misinformation and disinformation. For one instance of the postal voting conspiracy content arising online, the commissioner said his agency pointed out to Twitter that the content breached the platform’s terms of service, which culminated in that information being removed within three hours. “Twitter and others get rightly criticised, but it’s a shout out to them for being very responsive to remove something that’s dangerous,” Rogers said.

He noted, however, that addressing election misinformation is a complex issue as the nature of some conspiracies means their removal can fuel the creation of further conspiracies. “[This] can become very circular, so you need to exercise some judgment about how we deal with those issues,” he said. Rogers added that while the AEC was able to reach out to Twitter, negotiations are still ongoing with Digital Industry Group Inc (DiGi), the industry group advocating for big tech, to create a formal protocol for working with social media platforms to remove election disinformation and misinformation. In the meantime, all major social media platforms have given “assurances” that they would allocate more resources for monitoring election disinformation and misinformation for the upcoming Australian federal election, said deputy electoral commissioner Jeff Pope, who appeared alongside Rogers at Senate estimates. “For this election, we’re getting assurances from all of them that they will be expanding their hours of service, including having not just expanded hours of service here in Australia but then actually having staff in other parts of the world so that they can try and get as close to 24/7 coverage — so they’re not confined by the business hours of the staff here in Australia,” Pope explained. “For instance, some of them have staff here in Australia, they have a regional office in Singapore, then they have another office in Europe. They will be effectively following the sun as we go through the election to try and get as much maximum coverage as possible.” For the upcoming federal election, where voting is mandatory, the commission expects to go through 4.5 million pencils — up from 100,000 in 2019 — along with 34,000 bottles of surface cleaner, and 63,000 litres of hand sanitiser as part of its pandemic safety measures. Related Coverage More

Boris Zhitkov/Gatty Images You are one data breach away from your entire online life being turned upside down. The problem is our reliance on passwords, which are hopelessly fragile ways to secure valuable resources. Don’t be lulled into a false sense of security by believing that creating a longer, more complex, harder-to-guess password will somehow make […] More