Live streaming service Twitch dealt with a major bot attack this week and was forced to block logins from exotic browsers to prevent a threat actor from mass-creating new accounts to be used in future hate raids.
According to a developer who creates Twitch-centered software, more than 4 million new accounts were created over the course of roughly 30 hours between late Sunday and early Tuesday this week.
Looks like someone found an "easy" way to create lots of Twitch accounts. It's been a bit over 24 hours now and over 4 million bots account were created and it's still going up.https://t.co/FTYk3TrksU pic.twitter.com/j61CAvWZXV
— CommanderRoot (@CommanderRoot) September 25, 2022
Since such operations are usually carried out with automated tools like headless browsers, Twitch’s security team initially responded to the attack by blocking all user logins from all browsers except the very most recent versions of Chrome, Firefox, and Edge, on which most of its “legitimate” userbase would likely be using.
🔧 Seeing an error when logging in? Be sure you are using a supported web browser (Chrome, Firefox, or Edge), and your browser is fully updated!
We have a help article to help troubleshoot this coming soon!
— Twitch Support (@TwitchSupport) September 28, 2022
“There are organized groups trying to create botnets—bots that end up getting used for hate raids. There was one such mob very active recently,” Tom Verrilli said in a Twitter thread yesterday, trying to explain to users what was happening and why some of them couldn’t log in.
There's a lot of "WTF" replies and "Its about Ad-Block!" sub-tweets so let me help explain what's going on here.🧵 https://t.co/vzgLQ6kaVN
— Tom Verrilli (@tdrobbo) September 29, 2022
“When that happens, we (1) close whatever hole they found, (2) clean up the bot accounts made. Because (1) takes time, we’re temporarily restricting log-in to certain browsers,” he added.
“I totally appreciate it’s a PITA. […] Unfortunately, this is what the work of making Twitch safe entails. Folks need to use a browser not of their preference today to stop tomorrow’s hate raid.”
In the meantime, the list of supported browsers has been expanded with both Apple Safari and Opera GX, as Twitch’s staff has continued to investigate the root cause of the mass sign-ups and has whitelisted other browsers.
CommanderRoot, the developer who first spotted the bot attack, said that while Twitch failed to detect the attack when it started, the company was quick to intervene and stop it two hours after they first tweeted about it. However, CommanderRoot said that four days after the attack took place, most of the accounts are still not suspended.
You have to give Twitch some credit for stopping the massive bot account creation around 2 hours after I tweeted about it. That makes me wonder. When did Twitch notice it? Did it take a 3rd party like me and community outcry or did they have alerts setup?https://t.co/06PjlHqAib
— CommanderRoot (@CommanderRoot) September 29, 2022