StreamElements, a popular platform for streaming tools, has confirmed a third-party data breach affecting approximately 210,000 users. While StreamElements’ own servers were not compromised, a breach at a third-party service provider they used until last year resulted in the exposure of user data. This incident highlights the risks associated with relying on third-party vendors for data storage and processing.
The Breach and its Impact
A threat actor, identified as “victim,” leaked samples of the stolen data on BreachForums, claiming to possess information for 210,000 StreamElements customers. The leaked data reportedly included full names, addresses, phone numbers, and email addresses. Twitch journalist Zach Bussey independently verified the authenticity of the leaked data by requesting his own information, which was promptly provided by the hacker.
Threat actor’s post on BreachForums
Source: BleepingComputer
StreamElements confirmed the breach in a tweet on X (formerly Twitter), stating: “We recently became aware of a data security incident involving a third-party service provider we stopped working with last year. We can confirm no StreamElements servers have been breached.”
They further stated that they are actively reaching out to affected users to assess the impact.
The threat actor claimed to have gained access to the data through an employee’s compromised internal account, potentially infected with malware. This allowed access to the platform’s order management system, containing user data from 2020 to 2024. While StreamElements has not officially confirmed this method of attack, users registered during this period are advised to remain vigilant against potential phishing and scams.
Third-Party Risk and Responsibility
This incident underscores the critical importance of carefully vetting and monitoring third-party vendors. Even after ceasing a relationship with a vendor, data previously entrusted to them may remain vulnerable. StreamElements’ statement emphasizes that their own systems were not compromised, but the breach at the third-party provider still resulted in the exposure of user data, highlighting the extended responsibility for data security.
StreamElements has already reported phishing attempts leveraging this breach to target users with fake “data breach” emails. This highlights the immediate and ongoing threat to users following the disclosure of their data.
StreamElements’ Response and Ongoing Investigation
StreamElements has acknowledged the breach and is conducting an investigation. As of the writing of this summary, they have not yet begun sending data breach notifications to affected users. The threat actor’s post on BreachForums has since been removed.
The company’s response emphasizes the need for proactive measures following a third-party data breach. This includes alerting users to potential phishing attacks and conducting a thorough investigation to determine the full scope of the breach and implement further preventative measures.
Learning from Third-Party Data Breaches
The StreamElements third-party data breach serves as a cautionary tale for all organizations. Thorough due diligence in selecting third-party vendors, robust security protocols, and a proactive approach to incident response are crucial for mitigating the risks associated with outsourcing data management. The rapid verification of the breach by a journalist further emphasizes the need for transparency and swift action in the face of a security incident.
