The Real Problem Nobody Is Paying Attention To

At 10:30 p.m. PST on Oct. 6, Twitch released the following statement on its corporate blog: “We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.”

Then, on Oct. 15, Twitch released an updated version of its statement revealing more details about the leak and confirming the “exposed data primarily contained documents from Twitch’s source code repository, as well as a subset of creator payout data.” GitGuardian inspected the 6,000 leaked git repositories for secrets and sensitive data, and while most of the attention has been on the leaked creators’ revenues, the results show a much more serious problem that extends beyond this breach.

This leak can be added to a long list: Symantec in 2012, Adobe in 2013, Microsoft in 2017, Apple and Snapchat in 2018, Samsung in 2019, and dozens of enterprise companies in one single high-profile operation executed by a Swiss hacker in 2020. Not a year goes by without hearing or reading about such horror stories in the world of cybersecurity. But what makes source code such an attractive target for hackers?

Is Source Code More Than Just Lines of Code?
Source code is a corporate asset like any other. It takes thousands of hours to design, write, test, release, fix, and improve. Companies in the technology sector, like Twitch, consider source code as a blueprint that describes the internals of their digital platforms and the products they build and offer. Code is arguably one of the most valuable assets for such companies, at the source of business opportunities and value creation.

However, a blueprint, like any technical or engineering drawing of physical goods, isn’t enough to reproduce the same goods it details. For many cybersecurity analysts, the same reasoning holds for source code leaks. From a technical standpoint, they don’t consider these leaks to be dramatic events that threaten business continuity. Isolated, most of the source code is deemed to have no real value or use unless the attackers have other pieces of technology and, more importantly, the people and talent to use it. Moreover, stolen source code rapidly…