The risks of being a popular gaming personality
Within the last week a number of popular Twitch/Youtube personalities and professional eSports players found their Steam accounts compromised. Many struggling to determine what had in fact been the cause. The CS: GO subreddit /r/GlobalOffensive was teaming with reports of popular gaming personalities and pros reporting via their twitter accounts that their Steam accounts had been hacked.
Summit1g was hacked live on stream
It came out of no where, within a matter of hours it became fairly prevalent that Steam itself had been compromised. Impacted players were scrambling to recover their accounts, only finding that their credentials were constantly being reset.
The cause? A simple Steam password recovery page had opened up a loophole that allowed hackers to basically attempt a password reset (as long as they knew the account username) and upon selecting “Email account recovery code” the following page would prompt the user for the emailed code. What happened next is just short of insane, you did not have to enter the emailed account code, you simply just continued to process with no code entered and therefore being able to set a fresh password and bypassing the second layer of security in regards to also requiring access to the attached email address.
Valve patched the loophole, but it’s still unclear what kind of damage has been caused by the breach. With many people worried about their Steam items, particularly large traders and streamers whom have significantly sized cache’s of items worth thousands of dollars.
The other concerning factor, and for me personally comes as no surprise as to Valve’s complete lack of information regarding the matter.
I guess the more worrying aspect of the whole saga was the fact that these popular gaming personalities and pros were specifically being targeted by the breach, it brought up a lot of other issues that have been plaguing the community as of late and some that have occurred the last few years.
Swatting for instance perhaps more so earlier this year and throughout 2014 became extremely prevalent for Twitch streamers.
For those not aware of what “Swatting” is, it’s the act of an individual gathering a persons (or more specifically in this case, a streamers) home address, and then proceeding to call local law enforcement with a bogus report on “apparent” events happening at this individuals address. Now local law enforcement HAVE to act on these very calls, treating each and every one of these calls with scrutiny could result in the loss of life or lives by delaying action.
This is extremely dangerous as heavily armed law enforcement streamline into the individuals place of residence and all it would take is a wrong move by the targeted individual to be potentially shot. Thankfully this has not occurred and everyone whom has been impacted by this horrendous act have escaped unscathed. Many believe the end goal of the instigator is to either scare their victims into submission based on whatever pathetic issue they had when they made such a call.
Some justice was had with a 17 year old arrested in Canada for close to 23 charges related to Swatting and harassment. I find it unbelievable that an individual would even consider this as an act of revenge for someone on stream not acknowledging them or just out of sheer dislike of the intended party.
Doxing (from dox, abbreviation of documents), or doxxing
is the act of an individual or individuals searching the internet for personal information in relation to a specific target/targets, on most occasions the ultimate goal of Doxing is to post personal information about someone online for the world to see and get their hands on.
Information such as your home address, place of business, credit card numbers etc. etc. Not only does this expose the individual to identity theft but it also opens the flood gates to harassment from individuals whom chose to do so.
The act isn’t purely reserved for streamers and stretches far and wide to anyone and everyone.
DDoS attacks have been around for many many years. To put it extremely simply, after the attackers gains the intended victims IP address, if they have access to a Botnet (a bunch of breached computers) the attacker can then send a significant amount of data to the targets IP address from these computers at the same time, thus interrupting their internet connection, sometimes resulting in loss of internet, breaking the individuals stream and in some places causing large ISP bills for countries that still carry allocated data quotas.
In the gaming world, and from my knowledge some prominent Counter-Strike players were specifically targeted during online based tournaments, thus interrupting play or rendering the player unable to continue for the remainder, thus giving their opponents an advantage, and potentially yielding the attacker a large amount of skins. Betting has been blamed recently as one of the main driving points for such attacks, but other attackers appear to only target individuals for personal gratification or a public display of the target being impacted by the attack.
The first two types go hand in hand. Posting too much information about yourself online leaves you open to be targeted by these individuals. In an overly social and sharing world, the best method is to be extremely cautious about what you say online and what you post online. The streamers/players targeted would have been specifically targeted for the hacker(s) to potentially gain notoriety for attacking certian individuals, or to seek revenge for lack of acknowledgement. All this does is hurt the community and in some cases cause emotional distress to the intended targets.
DDoS on the other hand, can be relatively simple to prevent, and I won’t go into the specifics about how to do so but from a technical level, if you ever find yourself being solicited to visit particular websites during stream, do so with caution or at the very least not at all. The other side of it is some popular voip applications such as Skype completely exposing users IP Address’ if the attacker gets their eyes on your skype login/username.
So if you are ever streaming and using Skype, don’t expose your username to the world… you never know who might be watching.
It raises questions regarding how popular TV and Movie personalities deal with similar scenarios albeit still somewhat ‘analogue’. I guess the take away from this is, be smart about what you do online, and have some kind of safety for yourself if you want to stream and/or expose who you are in other mediums, but in the end, you need to trade off some things to actually do what you want.
If there is some interest I will post a piece on some preventative measures from a technical perspective when streaming and some other small tips.