Twitch, Breached. A Hacktivism Reboot?
14-February | Written by Jean Loup P. G. Le Roux
A few weeks ago, the whole world reeled on the news that Twitch had been hacked. Millions of people instantly flocked to haveibeenpwned.com to see if their emails have been compromised and quickly changed their passwords. Most of the media frenzy seemed to focus on the exposed incomes of the highest-paid Twitch streamers, but there’s another big side to this whole story: hacktivism.
The Twitch hackers didn’t infiltrate Amazon’s biggest stake in gaming for the clout (well, maybe a little) or for monetary gain. They claimed to have done it for the greater good:
To topple Twitch’s monopoly on streaming, and
To bring attention to social issues on the platform, such as the abhorrent treatment of minority streamers that seems to go unaddressed by Twitch.
These are both worthy enough reasons to act, but what does this mean for the greater digital landscape from a hacktivism perspective? Let’s quickly explore this event and what it means for the potential new rise in hacktivism.
An (Ethical) Hacking Resurgence
This phenomenon emerged sometime in the 1980s and its embers have been kept alive in the hearts of activists across the world. The last few years seem to have seen a resurgence in digital protest thanks to new technologies coupled with the immediate reach of social media.
Hacktivists have always been portrayed as moral crusaders fighting against the Evil Corp™, and widely-viewed (albeit fantastic) shows like Mr. Robot has popularized this view. The Twitch hackers, along with a whole slew of recent hacktivist attacks share that moralistic high ground. In a very similar attack earlier this year, the group Anonymous exposed all the data of an Internet services company called Epik. A lot of far-right groups used this service and the hack exposed the personal data of their members. Like with the Twitch case, those hacktivists claimed to be righteously punishing these companies for their misdeeds.
Ethics aside, the moral battleground on which hacktivism charges its legions is based on just principles. But like with any war, there are unfortunate casualties - and in the digital realm, that usually comes down to the personal data of innocent bystanders. Thus far, this Twitch hack doesn’t seem to have exposed the personal data of any users, but it exposed the incomes of many Twitch streamers, as the media liked to incessantly remind us for weeks. These streamers didn’t sign up to have their personal data exposed and debated in such a public way.
On top of that, even if user data hasn’t been exposed yet, there’s nothing to say it won’t come to light in the future. People now must rely on the “mercy” of hacktivists to not store, sell, or otherwise expose their login details, credit card information, and personal identities. That’s not a position I’d be comfortable living in.
Stemming the Rising Threat
It could be argued that companies that don’t do anything “wrong” don’t have anything to fear from hacktivists - and they would certainly claim that as well, having distanced themselves from the likes of cybercriminals who only seek monetary gain. As if those weren’t enough to worry about. The problem with this way of thinking is, these days it’s nearly impossible to please everyone. As a company, complacency is the enemy of security, and trusting that outside parties won’t target you so long as you’re objectively “good” isn’t a great strategy.
Sadly, other strategies haven’t fared so well either. As the massive increase in attacks (regardless of the intent behind them) these last few years have proven: we’re woefully unequipped to deal with the onslaught of attacks that continue to escalate year by year. As you’ve probably heard more than you care for these last few months, the pandemic brought its own unique challenges to cybersecurity. Yet, despite the increase in cyber-attacks stemming from the pandemic, there’s a bigger overarching trend that continues to escalate year on year.
Hacktivism, on the other hand, had seen a marked decline in the last decade, with publicized attacks falling by nearly 95% between 2015 and 2018, according to IBM Security’s X-Force Threat Intelligence Index. Although it should be noted that those numbers are skewed as IBM only includes cases where the attack resulted in quantifiable damage, and someone actually took responsibility for it.
Despite that, there’s been a marked increase in hacktivist attacks aimed at government facilities in the last three years. Some of the most notable instances include the attack of the US pipeline in May 2021 and that time when over 260 Sudanese domains faced DDoS attacks in a single day before the arrest of dictator Omar al-Bashir. Now, there’s renewed interest in the private sector as well, as various new and old groups band together to target any entity that incurs their ire.
This is exacerbated by the increased visibility of companies and their internal workings thanks to social media. These last few years have also seen a major jump in scrutiny by the public, which has become much more aware of social and political implications and the parts companies play in this socio-political symphony. News instantly spreads like wildfire to billions and trust is lost at the drop of a dime.
Working Within the Framework of a Hacktivist’s Future
Hacktivist groups are tricky foes, as they usually consist of people from across the globe with easy access to various hacking tools. Let’s be clear: hacktivists aren’t all cybercriminals, but they still pose a major risk to companies and their clients/users. Despite their distinction from “black-hat” hackers who focus on illegal monetary gains, protecting company IP from hacktivists involves a lot of the same measures, with a few notable differences:
A focus on the role of PR as an asset in cybersecurity;
The value of regular audits to root out causes for employee dissatisfaction.
These two elements are greatly overlooked when it comes to cybersecurity, but they can make a big difference when integrated properly. Employee satisfaction counts for a lot when it comes to protecting company assets as disgruntled employees are prime targets for hacktivists.
The human element is one of the biggest tools in any hacker’s arsenal, but as the incredible Mr. Robot pointed out so well - people are often central to hacktivists’ plans. Naturally, public relations must play a strong part too. Since hacktivist attacks are socially motivated, it’s within companies’ best interests to see PR as part of their cybersecurity strategy.
On top of that, the Twitch hack has just proven once again how even large conglomerates still disregard the importance of good security practices. While Twitch officially blamed the hack on a bad server configuration, employees of the company told The Verge that security was often overlooked or slow to be implemented by management in favor of rushed projects. This, paired with apparent employee dissatisfaction and the growing indignation many felt at Twitch’s actions (or lack thereof) created the perfect storm for this attack.
Sadly, there are similarities here that are shared by many companies who have yet to realize their own precarious situation. Many cybersecurity experts were appalled at the level of the breach involved in the Twitch hack but weren’t surprised by its motivations. Will it be the rekindling of a decades-old passion that burns in the hearts of many to become a hacktivists renaissance? Only time will tell. Twitch’s lack of security-oriented focus paired with its declining social standing isn’t a unique tale, I’m afraid, and I’m sure we’ll see many new chapters of this story unfold in the years to come.