The Epik hack also made way for breaches into the websites of the Texas GOP, one of America’s biggest state party affiliates, and the Oath Keepers, a far-right militia group that contributed to the storming of the U.S. Capitol on Jan. 6. A California sheriff faced calls for his resignation this week after the hack showed evidence that he had been a member of the group in 2014.
The perpetrators of these hacks are distancing themselves from financially driven cybercriminals and ransomware gangs by portraying their attacks as moral crusades against what they said were the companies’ sins. In celebratory notes released alongside their data dumps, the Epik hackers said they were sick of the company serving hateful websites, while the Twitch hackers used a hashtag criticizing company efforts to confront harassment and said the site had become a “disgusting cesspool.”
“Jeff Bezos paid $970 million for this,” the hackers wrote, referring to the price Amazon paid to buy the company in 2014. “We’re giving it away FOR FREE.” (Bezos, Amazon’s founder, owns The Washington Post.)
Because the hackers hide their identities, it’s impossible to gauge their true motives. And because they’ve dumped the stolen data onto the open Web, thousands of the companies’ users have also had their personal information exposed, including, in some cases, sensitive information such as income, phone numbers and home addresses.
Allan Liska, a senior intelligence analyst with the cybersecurity firm Recorded Future, said the growing accessibility and sophistication of hacking tools and the ease with which social media can draw attention to a major hack has contributed to a dramatic upsurge in attacks by “hacktivists.”
“Hacking because you disagree with an organization and you want to expose them is starting to really gain traction again,” Liska said. And “generally the biggest victims of the attacks are not the target organization … but the people who work there” or use the service as part of their work or personal lives.
Coupled with Monday’s hours-long outage of Facebook, Instagram and WhatsApp, the hacks are casting a spotlight on critical weaknesses of the Internet — an aging “network of networks” strained by global growth and woven through with outdated software, vulnerable hardware and unpatched flaws.
They also showcase how weak the world’s cybersecurity defenses remain despite an eruption of concern after this year’s major ransomware attacks, including the crippling cyberattack on Colonial Pipeline that brought panic to fuel markets on the East Coast.
Twitch confirmed the breach Tuesday, saying its teams were “working with urgency to understand the extent of this.” In a statement, the company said a “malicious third party” had gained access through a misconfigured server and that officials were “still in the process of understanding the impact in detail.”
The company said no log-in details were exposed, but experts said the pilfering of internal security information could leave the site more susceptible to future attacks. Twitch says it has more than 7 million people streaming every month and 30 million visitors a day. The FBI said Thursday it is “aware of the incident and does not have any additional information at this time.”
The Epik hack also exposed source code, private account information such as passwords and home addresses, and tens of thousands of customers’ credit card numbers. The company has said it is investigating. The Texas GOP has said it reported the incident to the FBI.
Defenders of the hacks have praised them as a marvel of Internet transparency not dissimilar to the recent data dump from inside Facebook, in which the data scientist and whistleblower Frances Haugen pulled internal records showing the company had researched the negative effects its social networks could have on teens’ mental health and other issues. “Facebook in its current form is dangerous,” she told The Washington Post, and “it became necessary to get the public involved.”
But some streamers worried that the leaked data could hurt users by fueling campaigns of harassment or invasions of their privacy. “Please don’t downplay this for people that worry about it,” tweeted Scott Hellyer, who streams games on Twitch under the name “tehMorag” to his 73,000 followers. “This is real and will impact people for years.”
Troy Hunt, a security consultant in Australia who created the data-breach notification site Have I Been Pwned, said many such hacks are actually crimes of opportunity, with a loftier mission applied later. He recalled a popular information security joke: “The definition of hacktivist is you hack someone, then make up a reason they deserve it.”
“Very often the politically motivated reasons we see are convenient excuses,” Hunt said. “In the case of companies like Epik, there’s a case many of us can get behind. But in many cases I would argue there are other ways to achieve those aims without having that level of impact on people and still be able to make your point.”
Beyond its video game broadcasts, Twitch has become a major media attraction for young audiences, and in recent years the company has worked to pursue broader fan bases with live-streamed talk shows, music and art. Streamers can earn money from advertising, and the most popular are often pursued by competitors, such as Google’s YouTube, with lucrative exclusive-video contracts.
The Twitch hack, totaling more than 125 gigabytes, appears to have exposed the company’s most valuable data in an instant for the world to see, including the source code for its biggest products, technical details for unreleased software, and internal tools used by the company’s developers and security teams. Some of the leaked data had been created as recently as last month.
The hack also revealed details the company may have preferred keeping under wraps, including unconfirmed data on the payouts for its most popular stars. Critical Role, a troupe of actors known for their real-world role-playing games of Dungeons & Dragons, grossed $9.6 million since August 2019, the leaked data said. Félix Lengyel, a Canadian known as xQc whose 9 million followers watch him play shooting games sometimes for more than 10 hours straight, grossed $8.4 million. The streamers did not respond to requests for comment.
“The quality of the data coming out of these hacks has been insane,” said Matthew Green, an associate professor who teaches cryptography at Johns Hopkins University. “Usually a breach means we got 6 million customer records with email addresses. … This breach has threat models for the security team, the salaries of individual users, internal company documents, everything.”
Experts marveled at the size of the heists and questioned how the hackers were able to exfiltrate so much data without getting caught. The Twitch, Epik and Oath Keepers dumps all totaled more than 100 gigabytes each — the equivalent of tens of millions of pages.
Twitch’s link to Amazon, whose Amazon Web Services is an online behemoth handling about 40 percent of all Internet traffic worldwide, was especially baffling to some experts, who questioned how Twitch had failed to implement security safeguards to prevent a hack or even notice that so much sensitive data was gushing out. An AWS spokesman said the hack had “nothing to do with the operations of AWS services,” which “operated as expected.” (Some also noted that Twitch had joked about Facebook’s mass outage in the hours before its own hack was revealed.)
The hackers have used free and publicly available tools to distribute and publicize their looted data. Instead of hosting the files on a single server, the hackers used the peer-to-peer network BitTorrent to anonymously “seed” the files from their computer to users who wanted them. Once those users had grabbed the files, their computers began to seed as well — a viral scattering technique, popular among online pirates, that makes the files virtually impossible to take down.
The anonymous poster who announced the Twitch hack said they hoped the leak would “foster more disruption and competition” in video streaming sites, and they used a hashtag referencing recent protests over “hate raids,” the organized mass-harassment campaigns of streamers, many of them people of color.
But the poster’s choice to reveal the hack on the message board 4chan raised the eyebrows of some experts, because the almost-anything-goes forum is infamously tolerant of hateful memes and racist slurs.
The ideological heyday of hacktivism, Green said, was roughly a decade ago, when groups such as Anonymous and LulzSec won attention for their digital assaults on the Church of Scientology and the FBI.
But because so little is known about the hackers, they alarm experts in cybersecurity, consumer privacy and national defense. The 2014 hack of Sony Pictures Entertainment, which dumped unreleased movies, embarrassing private messages and employees’ salaries onto the open Web, was later attributed to a group affiliated with North Korea, where officials were upset about the Hollywood studio’s portrayal of leader Kim Jong Un.
In the past five years, since WikiLeaks shared confidential emails from the Democratic National Committee during the 2016 presidential campaign, the hackers’ activities had mostly disappeared, Green said. But the recent spike in big hacks has left some experts questioning what’s driving the resurgence.
In March, after a hacktivist collective breached the security firm Verkada and released footage from tens of thousands of its cameras installed in hospitals and schools, the Swiss hacker Tillie Kottmann told The Post that the attack had been intended to spotlight the dangers of a growing surveillance industry. Kottmann was indicted that month by a U.S. grand jury on hacking charges; the case is ongoing.
But some hacks designated as activism have raised questions of whether they were actually just attempts at gaining clout or causing chaos. And even if the hacks are motivated by political aims, some experts suspect they are closely watched by state-sponsored hackers, cybercriminals and ransomware gangs, who can use the valuable data to gather evidence on targets or inform their next attack.
“There’s always been a lot of this ‘lulz’ chaos-merchant attitude hiding behind the hacktivism,” said Green, using a popular online term meaning laughs. “A lot of hackers don’t politically agree on anything. So your hacktivism, to get a lot of support, has to be very nonpartisan. But lulz don’t need politics. It’s not ‘I believe in climate change, let’s hack Exxon.’ It’s ‘let’s go hack whoever we want.’ ”
Dalton Bennett contributed to this report.