Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Streaming Platform. Show all posts

Amazon Fined for Twitch Data Breach Impacting Turkish Nationals

 

Türkiye has imposed a $58,000 fine on Amazon for a data breach that occurred on its subsidiary, Twitch, in 2021. The breach exposed sensitive personal information of thousands of Turkish citizens, drawing scrutiny from the country’s Personal Data Protection Board (KVKK). The incident began when an anonymous hacker leaked Twitch’s entire source code, along with personally identifiable information (PII) of users, in a massive 125 GB torrent posted on the 4chan imageboard. The KVKK investigation revealed that 35,274 Turkish nationals were directly affected by the leak. 

As a result, KVKK levied fines totaling 2 million lira, including 1.75 million lira for Amazon’s failure to implement adequate preemptive security measures and 250,000 lira for not reporting the breach in a timely manner. According to the regulatory body, Twitch’s risk and threat assessments were insufficient, leaving users’ data vulnerable to exploitation. The board concluded that the company only addressed the vulnerabilities after the breach had already occurred. Twitch, acquired by Amazon in 2014 for $970 million, attempted to minimize concerns by assuring users that critical login credentials and payment information had not been exposed. The company stated that passwords were securely hashed with bcrypt, a strong encryption method, and claimed that systems storing sensitive financial data were not accessed. 

However, the leaked information still contained sensitive PII, leading to significant privacy concerns, particularly for Turkish users who were impacted. The motivation behind the hack was reportedly ideological rather than financial. According to reports from the time, the hacker expressed dissatisfaction with the Twitch community and aimed to disrupt the platform by leaking the data. The individual claimed their intent was to “foster more disruption and competition in the online video streaming space.” While this rationale highlighted frustrations with Twitch’s dominance in the industry, the data breach had far-reaching consequences, including legal action, reputational damage, and increased regulatory scrutiny. Türkiye’s actions against Amazon and Twitch underline the growing importance of adhering to local data protection laws in an increasingly interconnected world. 

The fines imposed by KVKK serve as a reminder that global corporations must ensure compliance with regional regulations to avoid significant penalties and reputational harm. Türkiye’s regulations align with broader trends, as data privacy and security become critical components of global business practices. This incident also underscores the evolving nature of cybersecurity challenges. Hackers continue to exploit vulnerabilities in popular platforms, putting pressure on companies to proactively identify and address risks before they lead to breaches. As regulatory bodies like KVKK become more assertive in holding companies accountable, the need for robust data protection frameworks has never been more urgent. The Twitch breach also serves as a case study for the importance of transparency and swift response in the aftermath of cyberattacks. 

While Twitch’s reassurances regarding encrypted data helped mitigate some concerns, the lack of prompt reporting to Turkish authorities drew criticism. Companies handling large amounts of user data must prioritize both preventive measures and clear communication strategies to regain user trust after incidents. Looking forward, the Twitch data breach highlights the necessity for all companies—especially those managing sensitive user data—to invest in proactive cybersecurity strategies. As hackers grow increasingly sophisticated, businesses must adopt a forward-thinking approach to safeguard their platforms, comply with local laws, and ensure users’ privacy remains uncompromised.

Roku Data Breach: Over 15,000 Accounts Compromised; Data Sold for Pennies

 

A data breach impacting more than 15,000 consumers was revealed by streaming giant Roku. The attackers employed stolen login credentials to gain unauthorised access and make fraudulent purchases. 

Roku notified customers of the breach last Friday, stating that hackers used a technique known as "credential stuffing" to infiltrate 15,363 accounts. Credential stuffing is the use of exposed usernames and passwords from other data breaches to attempt to enter into accounts on other services. These attacks started in December 2023 and persisted until late February 2024, as per the company. 

Bleeping Computer was the first to reveal the hack, pointing out that attackers used automated tools to undertake credential-stuffing assaults on Roku. The hackers were able to bypass security protections using techniques such as specific URLs and rotating proxy servers. 

In this case, hackers probably gained login credentials from previous hacks of other websites and attempted to use them on Roku accounts. If successful, they could change the account information and take complete control, locking users out of their own accounts. 

The publication also uncovered that stolen accounts are being sold for as few as 50 cents each on hacking marketplaces. Purchasers can then employ the stored credit card information on these accounts to purchase Roku gear, such as streaming devices, soundbars, and light strips. 

Roku stated that hackers used stolen credentials to acquire streaming subscriptions such as Netflix, Hulu, and Disney Plus in some instances. The company claims to have safeguarded the impacted accounts and required password resets. Furthermore, Roku's security team has discovered and cancelled unauthorised purchases, resulting in refunds for affected users. 

Fortunately, the data breach did not compromise critical information such as social security numbers or full credit card information. So hackers should be unable to perform fraudulent transactions outside of the Roku ecosystem. However, it is recommended that you update your Roku password as a precaution. 

Even if you were not affected, this is a wake-up call that stresses the significance of proper password hygiene. Most importantly, change your passwords every few months and avoid using the same password across multiple accounts whenever possible.

Netflix Password-Sharing Crackdown will Roll Out Worldwide Early Next Year

 

After the fall in subscriber base in the first two quarters of this year, popular streaming platform Netflix will now charge an extra fee from users for sharing their passwords starting early next year. 

After allowing customers to transfer their profiles to new accounts, the streamer says it will start letting users create sub-accounts in line with its plans to “monetize account sharing” more widely. 

The streaming giant confirmed it will roll out the $6.99 / month ad-supported tier, called Basic, on November 3rd in the US, Australia, Brazil, Canada, France, Germany, Italy, Japan, Korea, Mexico, Spain, and the UK. However, the company did not reveal how much subscribers will be charged for sharing their passwords with other users in India. 

Before implementing the password-sharing fee system, Netflix tested the scheme in Chile, Costa Rica, and Peru for about six months. This test established an account's primary residence as the "home" for the membership. 

If the service spotted streaming at any additional households for more than two weeks, it asked the user to set up a new account and pay for additional "homes". The company estimates more than 100 million people are currently using another household’s account worldwide. 

Subscription loss

Earlier this year in July, Netflix reported losing subscribers for the first time in over 10 years, with the firm’s subscriber count dipping by another 1.3 million in the US and Canada and 1 million worldwide last quarter. 

The company witnessed the highest growth when the pandemic hit in 2020 and people, stuck at home with limited option entertainment, flocked to monster hits like Squid game, and The Crown. It also pushed nearly all of Hollywood's significant media firms including Disney Plus, HBO Max, Peacock, Paramount Plus, and Apple TV Plus to pour billions of dollars into their streaming operations. 

But as the situation normalized, Netflix struggled to attract new subscribers and maintain the loyalty of existing members, especially as there were multiple streaming options and also the rising cost of living led to people cutting back. Now, feeling the heat of intensifying competition to hold onto the subscribers' attention, Netflix is pursuing strategies it had dismissed for years.

Amazon-owned Twitch Says Source Code Disclosed in Data Breach

 

Twitch, which is owned by Amazon.com Inc (AMZN.O), announced on Friday that last week's data breach at the live streaming e-sports platform includes documents from its source code. 

The streaming platform said in a statement that the users' passwords, login credentials, complete credit card numbers, or bank data were not accessed or disclosed in the breach. The platform, which is used by video gamers to communicate with users while live streaming content, attributed the breach to an issue in server configuration modification. 

During server maintenance, modifications to the server's configuration are made. A flawed configuration can allow unauthorized access to the data stored on the servers. 

Twitch said it was "confident" the incident affected only a small number of users and that it was contacting those who had been directly impacted. The platform has more than 30 million average daily visitors. 

Video Games Chronicle had reported that about 125 gigabytes of data was leaked in the breach.  Data includes details on Twitch's highest-paid video game streamers since 2019 such as a $9.6 million payout to the voice actors of the popular game "Dungeons & Dragons" and $8.4 million to Canadian streamer xQcOW. 

About the breach

On October 6, Twitch confirmed that it has suffered a major data breach and that a hacker accessed the company’s servers due to a misconfiguration change. 

A Twitch spokesperson stated on Twitter, “We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available.” 

The leaked Twitch data reportedly includes: 
  • The entirety of Twitch’s source code with commit history “going back to its early beginnings” 
  • Creator payout reports from 2019 
  • Mobile, desktop, and console Twitch clients 
  • Proprietary SDKs and internal AWS services used by Twitch 
  • “Every other property that Twitch owns” including IGDB and CurseForge 
  • An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios 
  • Twitch internal ‘red teaming’ tools (designed to improve security by having staff pretend to be hackers) 
It is advised that Twitch users use two-factor authentication, which implies that even if the password is hacked, the user will still need to use the phone to confirm the identity via SMS or an authenticator app.