If you're not a gamer or interested in computer games, you may not be familiar with Twitch, a site that streams live feeds of people playing (and commenting on) titles like League of Legends or Counter-Strike. However, the site is extremely popular – techcrunch.com notes that it's the "fourth largest site… in terms of peak traffic" – and, thus, it shouldn't surprise anyone that it's a target for hackers. It looks like the hackers finally had their day: the team at Twitch notified users that they were forced to reset all passwords because of a data infiltration.They also noted that all passwords were "cryptographically protected"… so what's the deal with the password being reset? After all, isn't encryption supposed to be nearly impossible to break?
When it comes to encryption, though, encryption is not encryption is not encryption. That is, there are all sorts of cryptographic solutions, each meant to do one thing (and not another). For example, a common misunderstanding that we at AlertBoot run into is how laptop disk encryption works.A sizable minority are under the impression that disk encryption allows files to be sent over the internet securely. Or that, since the laptop is encrypted, data copied to a backup disk will also be encrypted automatically. This couldn't be further from the truth, and is an excellent way to increase the risks of a data breach. Disk encryption works by literally encrypting the hard disk of a computer…and nothing more.
Technically, files on an encrypted disk are not encrypted. As I noted above, it's the disk that's encrypted. The files just happen to be protected because they're in an encrypted storage medium. This is why if the same files are copied to an (unencrypted) external hard drive or sent as an attachment via email, they'll be sent and received as plain, unencrypted files.File encryption would resolve the problem but introduce its own: each new file would require encryption. Accessing already encrypted files would require that password be entered each time you try to open them. Data security blind spots like temporary files would become a problem.So, each type of cryptographic solution has its pros and cons.
When it comes to passwords something known as a cryptographic hash is used. Technically, this is not encryption. This is a process where plain text is converted into gibberish…but it cannot be converted back. It's ideal for passwords because it ensures that only the user and no one else (not even system administrators) knows the password.So, why did Twitch reset these passwords? Because there is still a way to figure out these hashed passwords. Essentially, you hash a list of common passwords and see what you get. Because the hash algorithm will always return the same output for an input, it's a matter of comparing the stolen passwords to known input-output outputs.Granted, the hackers won't be able to figure out each and every single password, but the sheer size of Twitch's user base guarantees that the hackers will uncover enough of them to cause damage.