Following the trail of a massive increase in Twitch account takeover attacks
To view this report in it’s original “white paper” format as PDF, click here
A rising tide of “hacked” Twitch user account complaints has been observed across the Internet, on Twitch streams themselves, Reddit, various forums and even at Real-World meetups. An investigation into these claims has led to the confirmation of compromises, as well as the discovery of the methodologies used to access the accounts without permission. Many of these accounts were eventually discovered being monetized by way subscriptions to Russian-language “sock” accounts, resulting in compensation from Twitch to the Russian accounts in the form of monetary payouts.
From the Twitch.TV Wikipedia Page:
Twitch is a live streaming video platform owned by Twitch Interactive, a subsidiary of Amazon. Introduced in June 2011 as a spin-off of the general-interest streaming platform, Justin.tv, the site primarily focuses on video game live streaming, including broadcasts of eSports competitions, in addition to music broadcasts, creative content, and more recently, “in real life” streams. Content on the site can be viewed either live or via video on demand.
The popularity of Twitch eclipsed that of its general-interest counterpart. In October 2013, the website had 45 million unique viewers, and by February 2014, it was considered the fourth largest source of peak Internet traffic in the United States. In August 2014, the service was acquired by Amazon, which later led to the introduction of synergies with the company’s subscription service Amazon Prime.
As of May 2018, it had 2.2 million broadcasters monthly and 15 million daily active users, with around a million average concurrent users.
Users who choose to stream onto the platform have the opportunity to monetize these streams through (among other things) gaining subscribers. Twitch provides a base rate of 50% of subscription income to streamers with lower subscriber counts, and 70% for higher. While Twitch does not have any official information on exactly what subscriber count it necessary to attain the 70% kickback, many speculate it to be 500.
While the streams are generally free for anyone to watch, fans of a streamer can actively support the streamer’s channel by “subscribing” to it. The cost of a subscription is tier based, ranging from $4.99 to $24.99, though the Amazon acquisition mentioned above also allows Amazon “Prime” members to subscribe to one Twitch channel for free. It is important to note that this method of subscription still compensates the streamer the full agreed amount based on their partnership level.
Twitch also provides other means for viewers to monetarily support their favorite streamers. Initially, streamers sought to pad their income by soliciting tips form their views in the form of direct payments to the streamer by means of PayPal and similar money transfer services. While effective, “chargebacks” were common, a situation in which a viewer would donate an amount of money and then later claiming it to be an unauthorized transfer. In 2017, recognizing both this issue and the fact that this process cut Twitch out of their normal share, rolled out a “bits” donation system. Bits are similar to the “store bucks” common throughout the 1980s and 1990s, or perhaps arcade tokens, in that money is exchanged for them at a rate of $.01 USD per 1 bit, though Twitch keeps a percentage of the purchase price instead of converting it (i.e. $1.00 USD results in the receipt of 60 “bits”). Later, Twitch also introduced the option for users to “gift” a streamer subscription to other users for the standard rate.
Streamers sometimes offer various perks for each tier to encourage subscription. Some common bottom-tier perks include “badges,” which are simply icons next to a user’s handle in the chat window indicating various statuses (subscriber, moderator, etc.), and access to custom chat emoji which everyone can see, but only subscribers can post.
Account Takeover (ATO) attacks are possibly the most prevalent attack type on the Internet today. The primary form of this attack is the “wordlist attack,” which utilizes a pre-compiled list of strings as usernames and/or passwords in the hopes of gaining access. This attack type is often far more effective than a “brute force” type of attack, which uses randomly-generated strings since humans still have a tendency to manually create passwords and base them on things they are emotionally tied to such as family members, pets, and sports team names. This tendency greatly reduces the “keyspace” for guessing the password, thus making it exponentially faster and more successful than brute forcing.
Regardless of which methodology is used, this attack is almost always automated, as manually entering such large numbers of credentials (at least 8 million in this case) would be far too time-consuming for a human to manage. At the time of this writing, Twitch does not appear to have any sophisticated bot detection mechanisms to defend against automated account login attempts. Basic protection seems to be in place via Google’s ReCaptcha, though this appears to have a very lenient threshold for triggering. This was confirmed via attempted logins with known-bad credentials against the researcher’s personal accounts. ReCaptcha is also very easily-bypassed using any number of very inexpensive paid services. Regardless of ATOs, the existence of countless “pay for followers” services implies automated access to Twitch goes relatively unimpeded, which can be devastating for the security, usability and desirability of a web-based community such as Twitch.
ATOs on Twitch are extremely common, as it is not uncommon for a single streamer account to be able to generate a living wage. Also as streamers increase in popularity, their risk of becoming a specific target for attack increases, not only due to their ability to generate large amounts of revenue but also for generating notoriety for the attacker:
Between 2017 and 2019 an exponential increase in “hacked account” complaints on Reddit and Twitter was noted. These complaints generally revolved around users no longer being able to log into their Twitch accounts, sometimes being logged out mid-session. As these two social media platforms are heavily-used by Twitch streamers, they serve as excellent gauges for the Twitch microcosm. By December 2019, these complaints had become the most common post on Reddit’s /r/twitch subreddit, vastly eclipsing any other post topics.
Small sample of Reddit Posts on Twitch ATOs
Concerned, the researchers began reaching out to the authors of these posts, attempting to gauge the personal security situations of those affected. In every situation where an affected user responded to the inquiry, it was determined they had made one or more of the following common security mistakes, and in most cases, they had made all three:
- Failure to implement non-SMS Multi-Factor Authentication (or any MFA at all)
- Failure to use a unique password
- Use of an email/password combination that had appeared in known breach dumps (see https://haveibeenpwned.com)
Taking this one step further, the Primary Researcher, being a popular Twitch streamer (“Jaku”), compared a list of known moderately-popular streamer email addresses with the Have I Been Pwned database. These addresses were acquired by way of having a pre-existing relationship with these streamers directly, greatly increasing the candidness and honesty of their responses. These streamers all corroborated the existing findings of poor user security, thus explaining the high rates of success.
Increase in Complaints
In January 2019, the makers of the popular game “Town of Salem” suffered a massive data breach due to misconfigured servers, exposing (among other things) 7.8 Million users’ email addresses and passwords. Almost immediately, complaints of “hacked” Twitch account spiked significantly. Continued research resulted in a similar conclusion as before: automated account takeovers using leaked credentials was the cause.
The massive increase of “hacked account” complaints brought to light another complication of the incident: Twitch was seeing an increased turnaround time on returning account access to the proper owners, with some users claiming up to 4 weeks of downtime. Social media, as it does, allowed the affected users to “fan the flames” of the situation, and an angry mob began amassing, claiming Twitch was actively choosing to do nothing about the problem.
The researchers reached out to Twitch on multiple fronts to garner even unofficial, off-the-record statements on what was being done internally to deal with the issue but were met with nothing but responses in the vein of “we’re working on it.” Taking matters into their own hands, the researchers launched a multi-stage security awareness campaign aimed specifically at Twitch users. This campaign included:
- A multi-part Twitch User Security Guide covering personal security and Twitch specific options, as well as discussions of why enhanced security is important and why seemingly mundane user accounts are being targeted.
- A Reddit “AMA;” a special event hosted on Reddit forums where persons important to, or extremely knowledgeable in a specific (often obscure) topic are brought in for a several-hour “Ask Me Anything” session.
- Researcher “Jaku” joining the /r/twitch subreddit as a moderator, allowing the researchers to more effectively provide personal security advice as well as providing the researchers with greater insight into the ongoing problem
The combination of ramped-up attack and greater user trust in the researchers eventually allowed a distinct attack chain to be pieced together. Thus far it was obvious that the attackers were using leaked credentials to compromise accounts, but the apparent rate of success was suspiciously high. Attempting to test even just all KNOWN leaked credentials against Twitch’s authentication system would take a substantial amount of time, regardless of Twitch’s apparent lack of defenses against automated login attempts.
Through common elements in compromised users’ stories, the attackers were likely using the following Attack Chain to compromised accounts:
- a) The attacker, using an existing account, sends the target streamer $1 via PayPal. PayPal, by nature of how it works, requires the streamer to provide the attacker with their registered email address in order to receive a payment.
b) (Instead of a), some attackers use a less-targeted approach, simply trying ALL credentials they have available and skip right to Step 4.
- This email address is then referenced against a collection of breached credentials. This collection more than likely consisted of AT LEAST the Town of Salem breach mentioned above, but could easily contain the hundreds of millions of credentials that have been publicly-leaked over time.
- If the address is found in said collection, the associated passwords are then used to attempt to log in to the target’s Twitch account.
- The attacker changes the account password to maintain persistence. This only began in March 2019 (see below). Before this, the accounts were left unmodified so as to not alert the owner.
- If the account has been associated with an Amazon Prime membership and the free subscription has not been tapped, this is given to a Sock channel (See “Sock Accounts and Monetization” below.
- Monetization begins.
In March of 2019, to combat the issue of users being unaware of account compromises until it was too late, Twitch began sending email alerts to users upon successful login. This had the detrimental effect of causing the attackers to begin changing the registered email address on compromised accounts as well as passwords. Additionally, it’s been reported that 2-Factor Authentication was also being enabled, which some users alleged seemed to increase the amount of time Twitch Support takes to return account ownership, though this was unable to be confirmed.
Sock Accounts & Monetization
Compromised accounts provide multiple points of value:
- “Pay for Followers” services are present on most Social Media and streaming platforms, with Twitch as no exception. Compromised can be made to follow any account on the platform, for a relatively small fee.
- Payment methods associated with the accounts (PayPal, credit card) can be used to purchase Twitch services such as subscriptions and bits, which can eventually be converted to fiat currencies via payments from Twitch
- Receiving payment from Twitch as a streamer requires at least $100 in bits/subscriptions; compromised accounts can be used to reach this goal
The compromised user reports gathered by the researchers allowed for the discovery of “Sock Accounts” — fake streamer accounts created by attackers for the purposes of monetizing compromised accounts. This was done vis users whose compromised accounts did not have their passwords changed but were discovered to be subscribed to new, unfamiliar streamers.
The investigation into these mystery streamers revealed various unusual activities, some used to avoid drawing attention to themselves, some for monetization, but all added up to very obvious channels full of stolen user accounts. The key suspicious activities were:
- The sock streamers always used Russian words and names. This is not explicitly suspicious on its own, however, the fact that these accounts seem to be collaborating with each other is (more below).
- The sock streamers would stream gameplay footage of either unpopular or VERY popular game games, likely to avoid accidentally attracting unwanted attention from random viewers (streaming popular games hides them amongst the thousands of other streamers also doing the same)
- This serves the secondary purpose of “cloaking” the activity from any suspicious activity alerting Twitch may have, as accounts that never stream but also are gaining subscribers would be a massive red flag
- Gameplay does not have a host appearing or even speaking in many cases, which is extremely odd on this personality-based streaming platform. It violates the core concept of Twitch.
- Chat room members do not chat, which is again extremely odd on a platform designed for interaction.
- Followers and subscribers would join while the channel is not even streaming, which is also extremely rare in these quantities
- Subscriber levels would be kept around 50 per channel; enough to garner payment from Twitch, but not so much as to draw attention.
- It is suspected that many, if not all of these Russian-named accounts may all be operated by the same group, and acting as a spillover for subscribers so as to keep the per-channel counts low.
- Followers and Subscribers would be added in groups, sometimes less than 1 second apart. This is very rare for such low-profile channels:
While automated ATO attacks will likely never disappear, there are many defenses and solutions to the particular methods described in this paper. As recommendations for end users has already been discussed by the researchers at great length in their Twitch User Security Guide, this section will focus on recommendations Twitch, and in some cases, many other services in other verticals can use to establish better defenses against these types of Account Takeover and Monetization attacks. Many of these recommendations have been made to Twitch publicly and privately where possible, with little to no response as of this publication.
Low-Cost & Easily-Implemented Defenses
- Disable the use of email address as a login credential. As all users also know their usernames, this is a free and likely easy-to-implement change.
- This would deal a massive blow to the ATO attacks using the PayPal email address method, as the leaked credentials being used contain only email addresses, and not necessarily Twitch-specific usernames.
- While this does still allow the attackers to attempt to discover matching usernames in the leaks and hope this match is not coincidental, many leaked credentials do not include usernames, thus limiting available passwords.
- NOTE: While Twitch does not explicitly state that email addresses can be used as a login credential, the researches have confirmed this is still possible at the time of this publication.
- Send notifications to the old email address when the address is changed.
- To encourage better 2FA adoption from users, provide “perks” for users who enable this.
- “Badges” (icons displayed next to Twitch usernames in Chat) are a particularly desirable perk which users actively vie for. Twitch already has a system in place to assign badges based on various user account metrics such as account age, so adding a badge based on security feature usage may be quite easy, and free.
- Partner with an enterprise leaked credential monitoring service such as Dehashed to alert users when their email addresses are leaked from other sites, as well as potentially provide another avenue of alerting to potential Twitch credential leaks.
- Disable the ability to enable 2FA for 48 hours after a password or email address change.
- This prevents compromised account owners from being permanently locked-out before they can perform a password reset or contact Twitch support to regain control in the case of a changed email address.
- Apple famously implemented this defense after the famous celebrity iCloud compromises of 2014.
- Remove Authy as the only supported 2FA system.
- Authy uses an SMS (“text messaging”) fallback to provide 2FA codes to users, leaving them susceptible to “SIM swap” attacks which allow attackers to spoof the victim’s phone and read the incoming codes. While this attack is difficult and rare, it has been seen in the wild in many famous celebrity-targeting cases, including the compromising of famous streamer “Dr. Disrespect’s” account.
- Implement a system for deflecting automated abuse.
- As nearly all web-based attacks against companies of any type are executed using various mechanisms for automation due to the massively increased return on investment this provides, modern web services such as Twitch should invest in automation deflection technologies instead on relying easily-bypassed defenses such as ReCaptcha or IP blacklisting.
- Allow users to register themselves with Twitch Support via some mechanism that is difficult to spoof.
- This allows locked-out users to be immediately identified as the proper account owner and have access returned to them as quickly as possible
- Security Questions are a poor version of this due to streamers actively discussing their private lives in public streams on a regular basis, which may inadvertently leak answers.
- Blizzard has implemented this by accepting government-issued photo IDs as registration documents. Users must submit a photo of this ID in order to access certain aspects of support, such as password and email resets. NOTE: THIS REQUIRES HEIGHTENED SECURITY surrounding storage and transmission of these photos / data, and may subject Twitch to additional regulatory requirements.
- Monitor subscription and new follower frequencies using behavioral analysis and anomaly detection algorithms.
- The new follower and subscription rates shown in this paper are blatantly anomalous, and would not require particularly advanced detection mechanisms. These mechanisms could likely be developed in-house relatively quickly.
- This will occasionally produce false positives, such as when a relatively unknown streamer does something to cause an immediate spike in popularity, but these instances are also quickly identified
Automated Account Takeover is one of the predominant threats on The Internet today, and likely always has been. End users cannot be trusted to secure themselves, as they will usually take the Path of Least resistance, and then blame the host company when an Account Takeover occurs, resulting in Public Relations difficulties. Many defenses exist against such threats, and of those, many do not require the purchasing of third-party technologies and are sometimes very easy to implement.
Behavior analysis is critical to modern security monitoring. As breaches and credential leaks continue to increase, and automated attacks become for sophisticated, behavioral analysis is quickly becoming one of the only effective means for identifying malicious activity.
While behavior analysis can be a complex monitoring solution to build and implement, defending against the automation tools being used by attackers can be a much more concise and effective approach. Several solutions exist to assist with this, some of which are very effective. Detecting and deferring automated abuse is often far more effective than attempting to build a granular defense-in-depth against the multitude of attack types, chains and methodologies in existence, not to mention those yet to be developed.
Finally, it is critical for an organization’s security staff to be monitoring various social media platforms such as Reddit and applicable forums. These have the potential to effectively perform as free monitoring solutions, alerting to the rising tide of a problem that may otherwise be escaping established security controls.
ABOUT THE AUTHORS
Matthew “Jaku” Jakubowski
With more than 10 years of information security experience, Jaku is the Information Security at the industrial monitoring and security firm Uptake. World-renowned for his security research in multiple areas, which has included Cellular\Wireless Communications, Hotel Security, Internet of Things and many more.
His research has been featured by many media outlets, including Wired, Network World, The Washington Post, eWeek, PC World, CNET, Computerworld, CNN, Gizmodo, NPR & Forbes. In addition, he has provided presentations of his research to both public and private audiences and is a founding member of Chicago’s largest Hacking conference, THOTCON.
In 2010, Trustwave-SpiderLabs named Jaku “World’s Number #1 Hacker”. This title has been unchallenged for nearly 10 years.
Johnny has been presenting on hacking, research and the Information Security career vertical for nearly 20 years, presenting on many topics at nearly 100 events in 6 countries. He’s also a founder and co-coordinator for BurbSec, the most famous and consistently well-attended set of Information Security meetups in the US.
Most noted for his work between 2014–2016 on exposing critical flaws in the TSA’s Master Key systems, he has been featured in major media outlets such as Fox News, Gizmodo, TechCrunch, BoingBoing The Hill, Mother Jones, and ZDNet, and many more.
Johnny has held professional security positions ranging from Security Engineer, Penetration Tester, Physical and Digital Security Consultant, Industrial Control Systems Security Researcher, and is currently the Director of Field Engineering at Kasada, Inc.