Link to Reddit Subforum

If you have a Twitch-Account, change your password and enable 2FA asap. And I hope that you did not reuse the Twitch-password on another site.

2 years ago

Comment has been collapsed.

Thanks a lot for this information, didn't know before that !

2 years ago
Permalink

Comment has been collapsed.

Passwords are still encrypted, that's some good news. Means it is not in plaintext and still not easily recoverable (even) if the algorithm and other measures are not known - but source code was leaked as well.

2 years ago
Permalink

Comment has been collapsed.

a simple comparison of hashes would reveal the password, especially if it's common or easy

2 years ago
Permalink

Comment has been collapsed.

Normally nowadays passwords are also salted which means that the same password does not result in the same hash.

2 years ago
Permalink

Comment has been collapsed.

If they now have the source code, does that not mean they may also have the salt?

2 years ago
Permalink

Comment has been collapsed.

A cryptographic hash is meant to be a one-time function, the transformation for all intents is not reversible. The only way to crack it is to brute force generate all possible passwords (or at least common ones) and compare the hashes. Taking this one step further, a prepared attack can use tables of stored passwords and precomputed hashes (aka rainbow tables) to make the search much faster.

To foil this kind of attack, passwords are usually salted with a unique nonce before being hashed, this basically renders such tables useless. The salt is not exactly secret, only unique, and usually stored plain text next to the hash.

TLDR: knowing the salt does not make it easier to crack a hashed password, other than maybe the shorter length of the combined(password, salt) string, and it's still beyond the reach of pretty much anyone to brute force.

2 years ago
Permalink

Comment has been collapsed.

Or to put it another way: if your password has 200+ bits of entropy and the hashing function in use isn't broken (looking at you md5, sha1, etc), you're good. Salt or no salt.

2 years ago
Permalink

Comment has been collapsed.

one downside of not salting is that two users using the same password will have the exact same hash, but yes as long as the hashing function used isn't weak, you're good.

2 years ago
Permalink

Comment has been collapsed.

Thanks, changed my pass and made sure to activate 2FA. No idea why I didn't have it on already.

2 years ago
Permalink

Comment has been collapsed.

I'm actually wondering about this. Could it be in connection to recent events either by those accused or those who think Twitch aren't doing enough?

2 years ago
Permalink

Comment has been collapsed.

Thanks for the Info.

They have now my "will be maybe spammed" email adress (far from the main one) and a password that i use only for twitch.
So congratulations hackers, have fun with my 2 followers :-D muhahahahahaha

Of course, if they could hack the 2FA before all that.

2 years ago*
Permalink

Comment has been collapsed.

Thanks for letting us know. I will take immediate action for this.

2 years ago
Permalink

Comment has been collapsed.

Thanks for the heads up. I had 2FA, but this made me finally just disable my account. I hardly ever used it anyway.

2 years ago
Permalink

Comment has been collapsed.

Naah nothing of value was lost.

2 years ago
Permalink

Comment has been collapsed.

Oi, Thanks mate.

2 years ago
Permalink

Comment has been collapsed.

Thanks. Changed password, but not 2FA. :P

2 years ago
Permalink

Comment has been collapsed.

Hmm..πŸ‘€

Thank you infoβ™ͺ

2 years ago
Permalink

Comment has been collapsed.

They require a phone number to set up 2FA, meaning anybody who hasn't used a burner, probably has had their phone number leaked, too.

All of which is kind of stupid, but hey, GOTTA HAVE those phone numbers.

2 years ago
Permalink

Comment has been collapsed.

Big tech keeps demanding more and more private information under the guise of security, yet time and time again they're the ones that endanger our accounts and allow our data to be dumped on the internet. Why do we put up with such BS.

2 years ago
Permalink

Comment has been collapsed.

Maybe I'll get something other than spam calls in Mandarin now! I have no connection to China nor can I speak Mandarin so idk why I get them.

2 years ago
Permalink

Comment has been collapsed.

Ah, there you are.
δ½ ε₯½ε—οΌŸ^-^

2 years ago
Permalink

Comment has been collapsed.

Bump for visibility. Thank you

2 years ago
Permalink

Comment has been collapsed.

Thanks for the notification.

Its been a long time since I changed it. Thankfully I did have 2 factor on. I use lastpass so it was a unique pass not used elsewhere. I've made it much longer. :)

Bump....

2 years ago
Permalink

Comment has been collapsed.

I recommend not enabling 2FA. The attackers may still have access to twitch's systems, and they could learn your phone number, and potentially include it in part 2 of their data drop.

2 years ago
Permalink

Comment has been collapsed.

Closed 1 year ago by AmanoTC.