My wife and I can't wrap our brains around the fact that payment info was leaked alongside source code.
Any theories how this happened?
Former pentester btw. I saw a lot of interesting things during my time, but I can't recall seeing a payment database next to a source code repo.
Did their s3 bucket get popped or something?
Even if their github enterprise got popped, that doesn't explain that streamer payouts down to the dollar were leaked. "Oh yeah, I commit all my stripe data into github. It's for compliance /s"
There are several ways why this could have happened.
1) The payment-data were just artifacts left on some file-server or from a process, which was accessible from dev-space.
2) No real systems were accessed and everything, it's all from a bad backup-server or poorly managed worker-pool.
3) Multiple Persons got hacked.
4) Exit-Scam of one or more Workers who just had broad enough access for some reason.
5) Twitch's security is just that bad.
Some notable thing is, the payment-data are quite limited, there are no real private data it seems, and the git-history seems also be missing. It's not sure whether this is on purpose and whether more data will follow. But this overall hints so far that this at least was not a full deep hack.
git commits are a good place to look for passwords/users checked in. unless you specifically prune them. so your current mainline may not have it but the stuff is still there in the commit history chain. so if you have access to that you probably could leverage it into several other systems.
Also a pentester. My guess is they just had really broad access to Twitch's systems, not that card data and source code were together. Given the amount and range of data, wide-ranging access to their infrastructure is the only thing that makes sense to me here.
There are a ton of companies hiring pentesters. Most testers fall into the profession after having worked in other network or IT related professions. A few are free lance, most work for a company or in my case start their own and expand out services. It's not really any different than any other tech job at the end of the day, it just seems glamorous. Don't become a pentester if you're not ready to write extensive reports.. it's probably 75% of the job.
With that, there are tons of specific disciplines you can focus on for pentesting. I'd figure out what excites you and then go for it. Web app is diff than physical exploitation of security systems etc. but some of them cross over.
Another option. Work for the government, join a red team or apply. They'll train you and you'll leave with a new perspective and possibly knowledge you can't get elsewhere.
> if you're not ready to write extensive reports.. it's probably 75% of the job
Do you happen to have a system for building these out? As a techie, I imagine you've tried something like text-expander or similar... but I see a lot of people unsatisfied that they end up building their own tools.
Yes, We have a few tools that fill in based on scan data, with typical points of data, but a lot of what we're doing requires it's presented in a few different perspectives. Generally we provide a couple reports, the Highly Technical (with notes, logs of actions, etc. This can be hundreds of pages, but it's meant to be a reference for the engineering teams fixing what we found. We also sometimes provide full screen captures of the "ops". Second we provide a paired down version of that report with issues and recommendations, usually for the person that's hired us. It includes what we recommend for them to be successful. Finally we provide an Executive report that is designed to be presented by the second report recipient. Usually we've addressed the high level issues, helped with internal requests if possible (IE IT/Security wanted a budget for new firewall, we help boost that with our report as part of future planning etc.) and ultimately this report is designed to give whomever hired us the ability to be the rockstar (we're just the tool).
So all in, there are different tools needed for each report. Fortunately the way we capture the data and notes through out the "op" makes it much easier for the team to put together each part.
There's ways we could automate more, we've even messed with AI writing some of the suggestions and actions based on input. So far though, we still need the humans in the loop.
Honestly the first few reports are hardest, after that you find a process and it becomes much easier.
Wow -- thank you kindly for the thorough answer. It looks like you have the reporting down to a science (given how effective that comment was and how quickly you turned it around! :).
I've seen a lot of professions where in depth reporting still requires humans in the loop, and I think that will always be the case.
There's a small hope I have that one day writing will be a bit more like programming -- as in selecting a 'class' for a structure of a section / paragraph / thesis you want to communicate, which then provides typed functions for potential inputs -> outputs, freeing up human brain cycles for more interesting ideas.
Depends actually, if you just want to do pentesting then probably do some certifications like OSCP, CompTIA, etc. Once you get those its quite easy to land a interview for pentesting.
Initially job may not pay good but you can build your network and then probably start doing contract works. Most of the pentesters I know make more from freelance/contract work then their jobs. Because mostly those contract/freelance work pays on hourly bases. The initial hour rates usually are somewhere between 40-50 USD but they can go to 120-150 with just after few jobs.
P.S - I might have made it sound a very simple or easy profession but its not :)
I would add that the more experience and time you have on the job those contract rates go up exponentially. I would also recommend if you're free lancing that you still do it under an LLC and purchase a liability policy. Too many risks.
For example. In 2012 average consulting hourly rate I charged $350. Stayed booked. 2016 $550. Stayed booked. In 2018 I had a couple really large clients that paid $1500+hr
There's gold in the hills, the trick is to figure out how to sell the pans, water, plots of land, and transportation to them. If you can work in complementary services or referrals for all the above, you just made yourself even more valuable.
Theorypothesis: the pre-Amazon acquisition company had very informal access controls, and Amazon is known for limiting how much change it imposes on acquisitions, so didn't know about this or didn't change to a more corporatey way of controlling access.
I guess if you have access to a build server that you might spy out some access credentials to other venues. Not impossible at least or perhaps some sort of service account was compromised that had access to both. Doesn't mean there was an immediate proximity of these system, although that might also be possible.
I know projects that do or did put their production database credentials, which had full read and write access, in git.
And no, thats not a clever thing to do, neither is there a good reason to do it. But people do things you do not like and theres little you can do about it.
I would like to live in a world where you were right, but I am not. Sadly.
[Edit] dumps though are another thing. Not seen that, yet.
You need to open that link incognito. (If clicking through from HN)
The site you linked to detects if the referrer url is HN and instead displays only an image saying "HACKER NEWS - A DDoS MADE OF FINANCE-OBSESSED MAN-CHILDREN AND BROGRAMMERS" instead of the content you are trying to link too.
Yeah, it looks like there are a lot of hard-coded credentials, and one of those is to a twitch_reports database, which might be where these financial reports came from.
You need to open that link incognito. (If clicking through from HN)
The site you linked to detects if the referrer url is HN and instead displays only an image saying "HACKER NEWS - A DDoS MADE OF FINANCE-OBSESSED MAN-CHILDREN AND BROGRAMMERS" instead of the content you are trying to link too.
If you're using Firefox you can prevent the browser from sending the Referer by going to `about:config` and setting `network.http.sendRefererHeader` to 0.
My wife and I can't wrap our brains around the fact that payment info was leaked alongside source code.
Any theories how this happened?
Former pentester btw. I saw a lot of interesting things during my time, but I can't recall seeing a payment database next to a source code repo.
Did their s3 bucket get popped or something?
Even if their github enterprise got popped, that doesn't explain that streamer payouts down to the dollar were leaked. "Oh yeah, I commit all my stripe data into github. It's for compliance /s"
EDIT: If you want to see how much everyone's making: https://www.reddit.com/r/LivestreamFail/comments/q2gooi/twit...