Including its source code. Change your passwords and add two factor authentication if you haven't.

Then take a look at what everybody earned from Twitch since October 2019.

It also references a potential Amazon competitor to Steam apparently.

  • DaringDarek [none/use name]
    ·
    edit-2
    3 years ago

    Password hashes are designed to buy time in case of a leak.

    It's a matter of chosen strength, vs how much hardware $$ someone wants to spend. If twitch was doing things right, an attack would not bother cracking everyone's passwords but instead focus on a few specific users. You could rent half the cloud for twenty minutes if you really wanted to.

    Overall unlikely, but may as well change your password anyway.

    • sun [they/them]
      ·
      edit-2
      3 years ago

      If they’re using a good key size (e.g. 128 bits), it’s functionally impossible to break a blowfish cipher (pretty standard in my experience). It would take billions of years to run a brute force attack against a reasonably strong cipher.

      • SolidaritySplodarity [they/them]
        ·
        3 years ago

        The biggest risk is really whether they chose to prioritize security or just left it up to tiny budgets and middle management, which I would say is the usual standard. Security best practices are for the cool kids that care about it enough to actually do it and you won't know about the worst ones until things like this happen. There's basically no punishment for it, either.

        • sun [they/them]
          ·
          3 years ago

          No disagreement there (and I haven't looked through their code so what do I know), but you would have to go out of your way to screw up password hashing. I don't see how there's any way a company like Twitch, whose engineering team is known for being good at what they do, wouldn't lock that down.

          • SolidaritySplodarity [they/them]
            ·
            3 years ago

            The way to screw it up is to do it 5+ years ago and use a library that doesn't automatically use bcrypt or similar, but forces you to personally choose to salt and hash as a design decision (or by default just not do that). I've seen no salt + md5sum before, lol.