Look, I’m not going to get into whether you should be using Twitch or not, but the reality is many people do. I’ve been seeing increasing calls, particularly on Discord servers, to change your Twitch password, and on any site you use the same password on.

Those calls mean well I’m sure, but is it actually necessary? I’m going to assume that Twitch implements password hashing and salting correctly (though, with the source code leaked you could presumably just check), so realistically even though the authentication database was leaked, there would be no way for an attacker to get access to your real password, right? Isn’t this the exact situation password hashes are meant to protect against? I feel like the most we’d have to worry about is login tokens for apps and session cookies, which can be pretty easily mitigated from the server side by invalidating them all.

  • HMH@lemmy.ml
    link
    fedilink
    arrow-up
    5
    ·
    3 years ago

    This argumentation is fine if your password is strong, Twitch followed best practices concerning password hashing + salting AND the whole thing is ONLY a leak. But to me it looks like the attacker(s?) probably had full access to a lot of Twitch’s internal infrastructure, possibly for a prolonged time. That’s why I think it’s very much possible that password have been obtained in another way.