How Bad Twitch Leak

SecPro #22: Introducing the SecPro Ambassador Program, Just How Bad the Twitch Leak Was?

In today’s issue:

  • How Bad Twitch Leak: The Great Twitch Leak – Just How Bad Was It?
  •  Launching the SecPro Ambassador Rewards Program  
  •  How To Perform a Network Vulnerability Assessment with Nmap
  •  Recent Security Issues
  •  Secret Knowledge: Building Your Security Arsenal

Data Breaches The Great Twitch Leak – Just How Bad Was It?

By Austin Miller

TL;DR: 4Chan has been at it again. And this they got a whale – Twitch.

The Amazon affiliate streaming platform was hacked on Oct 6th and has faced a massive leak. Although there are few security concerns for users at this time, the overall damage to the platform could be disastrous.

Although big names like Critical Role, Pokimane, and Limmy will walk away unscathed, many Twitch users are worried about their passwords, payment details, and any other compromising data that was captured in the leak. So what exactly happened and how did it go so wrong for Twitch? How Bad Twitch Leak 

How Bad Twitch Leak: Bezos Paid $970 Million – You Get It For Free!

Amazon acquired Twitch Interactive in 2014 for $970 million, something that the hackers found especially funny. The twitch leaks part one post on 4Chan signed off with “Jeff Bezos paid $970 million for this, we’re giving it away FOR FREE. #DoBetterTwitch, something that probably sits heavily on the Amazon executive chairman’s mind.

Twitch leak post on 4Chan

The extent of the leak is massive – source code, emails, password hashes, the lot

Dumping 125GB of data onto 4Chan, you can dig through the source code and find:

  • The source code
  • All console clients
  • All Twitch owned property
  • An unreleased competitor to Steam by AGS
  • The Twitch red team tools
  • Records of Twitch account payouts
  • Controversial findings about the Golden Kappa emoticon

For an organization this big, it’s a catastrophic failure. 

1. All Payouts Logged

For people not in the know about Twitch, successful streamers make a lot of money. But up until the leak, we didn’t know quite how much.

Logging payouts from August 2019 to October 2021, we can see that Critical Role – undoubtedly one of the biggest names on the platform – have managed to rake in over $9.6 million and xQc has received $8.4 million from Twitch. As you look through the top 100 earners, there are some truly nose-bleed-inducing payouts for the big names on the scene.

If you want to find out how much your favorite streamer has managed to rake in (or have an existential crisis about how much you could earn if you were better CS:GO), the top 100 earners are listed in this tweet by @KnowSomething. 

2. The Golden Kappa Is A Lie?

Chasing a unicorn is always fun, but Twitcher viewers received a pretty nasty surprise in this leak. The Golden Kappa is an emoticon of Josh DeSeno’s face – a former employee of, the predecessor of Twitch – that apparently appears at random.

In order to get the Golden Kappa, users believed that they had to post the regular Kappa (a grayscale emote of Mr. DeSeno’s nonplussed face) that would be randomly upgraded to a more golden appearance. But the leak has exposed that it’s not random at all.

Twitch source code 

Not so random after all…

It turns out that the source code contains a list of whitelisted members that choose who gets the Golden Kappa. Needless to say, people reacted strongly to finding out that effectively spamming the plain grayscale Kappa has been a waste of time.  

3. How Did The Source Code End Up On 4Chan?

We shouldn’t mince words here – this is the biggest data leak that has occurred in a long time. An organization shouldn’t have been able to get access to all of this information through one hack.

But that’s apparently what happened.

According to a blog post on the Twitch site, some data was exposed during a Twitch server configuration change. This was then seized on by a malicious third party, who as of yet remain unknown. 

4. Do I Need To Worry?

Despite initial scares about credit card information being leaked, there’s nothing much to worry about if you’re not a Twitch user. As Twitch stated in its only public statement about the event, there’s no evidence that passwords have been compromised yet.

But the hackers still might have accessed the emails and password hashes. This leak was referred to as “twitch leaks part one” by Anon, so there’s potential for a further leak in the near future – remember that the entire source was leaked which potentially includes the hashing algorithm. Although it would still take some time to crack the salted hashes, it’s a lot easier when working backward from a known algorithm.

My advice is for all Twitch users to change their passwords, especially before a potential leak (although anon promised this would happen on Monday 11th October and has, so far, failed to deliver). If you have used the same password with many other sites, now is a good time to start using a password manager to cut down on the threat of credential stuffing.

 Launching the SecPro Ambassador Program! 

Enjoying the SecPro? Chances are you have a friend or a coworker who’d like to read the SecPro as much as you do. 
Rack up rewards by sharing your personal link to your network. When you share the SecPro using the button below and new readers sign up, you earn exciting prizes and bonus content! 

Access Personal Rewards Hub

Note: In order to generate your unique link to share with your network, you will be requested to verify your email id first. This is a one-time activity for all registered users.

Tutorial: How to Perform a Network Vulnerability Assessment using Nmap

By Glen D. Singh

A vulnerability assessment allows cybersecurity professionals such as ethical hackers, penetration testers, and even system engineers to identify the number of security weaknesses which exist within their organization. Vulnerability assessment does not only help discover security flaws on a system but also helps professionals to determine the vulnerability score and risk factors. This information can help you to allocate resources to resolve higher priority risks quickly and prevent potential cyber-attacks and threats. 

The Nmap Scripting Engine (NSE) is a powerful component of Nmap that allows creating special scripts to automate special scans and even use existing scripts within the Nmap Scripting Engine (NSE) to find security vulnerabilities. 

To get started with Nmap, use the following steps: 

  • Head over to and download the Nmap version suitable for your operating system, whether you’re running Windows, Linux, or MAC OS. Keep in mind, Nmap uses a command-line interface (CLI) by default. 
  • If you’re installing Nmap on a Windows host computer, the graphical user interface (GUI) version of Nmap is also installed automatically, this version is called Zenmap. It has similar capabilities as its CLI counterpart. 
  • Additionally, if you’re an ethical hacker or penetration tester, you’re most likely using Kali Linux. The best thing about Kali Linux is that it has Nmap pre-installed ready to be used.  

Getting Started 

Use the following commands on Kali Linux or your OS of choice to perform a scan to identify the operating system of a host machine: 

kali@kali:~%%EDITORCONTENT%%nbsp;nmap -A -p- 

This allows Nmap to profile the target, providing us with the operating system version, all open ports, their service versions, and basic script scanning. 

We now need to perform research on the service versions found on each open port. Let’s take the service version of the FTP service, which is vsftpd 2.3.4 to search on Google for known vulnerabilities and exploits. 

As shown in the above screenshot, with a little research using the service versions of open ports, you can quickly determine the security vulnerabilities on the running service. 

Furthermore, you can invoke the Nmap Scripting Engine (NSE) which contains a ton of pre-built scripts for specific vulnerabilities on a system. Visit to see a list of all the NSE scripts, their description, and categories. To perform a scan using a script with NSE, use the following syntax: 

nmap –script script-name target-IP-address 

Below is an example of a vulnerability scan on a target to determine whether a vsFTPd 2.3.4 is an actual vulnerability to allow backdoor access if exploited by a threat actor: 

nmap –script ftp-vsftpd-backdoor  

The following snippet shows the results of this scan: 

NSE was able to send special network probes to the target and was able to determine if a vulnerability really existed within the running application of the target. 

While there are hundreds of scripts to choose from within NSE, you can use NSE to execute all the scripts of a particular category. All necessary scripts for vulnerability detection can be found at If you want to use all the scripts within the list on single or multiple targets, you can simply specify the entire category by using the following commands: 

nmap –script vuln 

The scan will take a bit longer time to complete as Nmap tests the target against each script within the vulnerability category. The final result of the scan will display the vulnerabilities found and which script from the list was a reference to discover the security flaw on the target as shown below: 

I hope you found this article useful and understood how to use Nmap to perform a vulnerability scan and assessment on systems within an organization’s network. 

Disclaimer: Do not perform scans on systems or networks which you don’t own or don’t have legal permissions to do so. Scanning is both intrusive and illegal without proper permission.

Recent Security Issues

  • On October 10th, a leading medical technology company, Olympus was hit by a cyberattack that forced them to shut down their IT systems in American regions such as The U.S., Canada, and Latin America. The company was not able to disclose whether there was a breach of customer/company data but assured that it would release the details of the attack very soon.  
  • A recently discovered vulnerability in Apache HTTP Server (CVE-2021-41733) is being actively exploited in the wild. This vulnerability is a path traversal and file disclosure vulnerability that could allow an attacker to map URLs outside of the document root. It could also result in the exposure of the source of interpreted files like CGI scripts. The exploitation of this vulnerability is of very low complexity and poses a critical threat to all users of this open-source software. 
  • One of Scotland’s biggest engineering mining equipment firms, Weir has been hit by a ransomware attack that forced them to delay their shipments worth more than £50m in revenue. 

DDoS Threat Report 

  • Nexus Guard reported that bits and pieces DDoS attacks that used only 10 Gbps have boomed by 233% in the first two quarters of 2021. Its findings reveal that 39.94% of bit-and-piece attacks were significantly increased with TCP ACK traffic as a new attack vector. 

 Secret Knowledge: Building Your Security Arsenal

Discover useful security resources, threat intel, cheatsheets, and open-source CLI/web tools.

Container Security

  •  Falco: CNCF open-source cloud-native container runtime security tool.
  •  kdigger: a Context Discovery Tool for Kubernetes: A tool that automates many standard steps when pentesting Kubernetes from inside a pod. 
  •  RhinoSecurityLabs/ccat: Cloud Container Attack Tool used for testing security of container environments.
  •  Open policy agent: Policy-based control tool designed for cloud-native environment.
  •  mkit: Managed Kubernetes inspection tool that validates several common security configuration settings of managed Kubernetes cluster objects and the workloads/resources running in the cluster.
  •  auditkube: Audit for EKS, AKS, and GKE Terraform modules for HIPAA/PCI/SOC2 compliance and cloud security. 

Infrastructure Security 

  •  Cloud-custodian: Rules engine for cloud security, cost optimization, and governance, DSL in YAML for policies to query, filter, and take actions on resources.
  •  cloudsplaining: An AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk report.
  •  Netflix-Skunkworks/diffy: A triage tool used during cloud-centric security incidents to assist digital forensics and incident response (DFIR) team by identifying suspicious host.
  •  Aquasecurity/cloudsploit Scans: Cloud security configuration checks and Cloud security posture management (CSPM) tool.
  •  dagrz/aws_pwn: A collection of AWS penetration testing junk.

Stay up to date with the latest threats

Our newsletter is packed with analysis of trending threats and attacks, practical tutorials, hands-on labs, and actionable content. No spam. No jibber jabber.