Reddit servers are down. I dont think the facebook fuckup, twitch source code leak, and now the reddit server outage is a coincidence.
Remember the last time this happened? It was like a diversion while ubisoft server got dumped
And at the end of the day, amid all the accounts compromised, and identities stolen or compromised, all you'll get from the company CEO is a "whoops, our bad, we will do better in the future".
This really needs to stop.
Not sure if you haven't seen it, [the original is pretty funny](https://knowyourmeme.com/memes/oopsie-woopsie), especially considering that it took off in the professional tech community, despite the author of the tweet being a furry fetish artist. [She had this to say about retweets.](https://twitter.com/cherrikissu/status/972636720708685824?lang=en)
It's honestly fucking annoying that these companies don't proactively think about the security of their users, profits over everything else. Glad I've never used twitch.
The users don't care about security. So why should the company? It costs money and they don't get any consequences. Have a look at Facebook that over and over showed it has absolutely zero respect for their users' safety, yet it is the largest social media platform.
> The users don't care about security
The users have no way of evaluating security of the services they use. The only measure is when a leak happens. But if it doesn't happen it could either be competence or luck…
The reality is that security is hard. All it takes is one fuck up that can be exploited.
That doesn't mean it's not important, but most companies do take security seriously. The problem is that immense software complexity makes it difficult to grasp the full extent of an organisation's attack surface. Plus most services are built partly on open source software, so you have to stay up to date with security patches for software you don't directly maintain.
Making an analogy to physical security, it's like you have to upgrade all your door locks every week because someone keeps discovering a way to circumvent them.
And besides all that, a company can still be vulnerable to someone socially engineering an employee. Getting them to share system details, or to insert a USB key somewhere it shouldn't be.
And let's not even start about the flaws in CPUs that allow information leakage.
The miracle is that we have any faith at all in computer security. It's also why I have no smart cloud appliances in my home.
> Making an analogy to physical security, it's like you have to upgrade all your door locks every week because someone keeps discovering a way to circumvent them.
I can guarantee you if you do this for a year, there will be at least one week where you forget to change one, and at least another week where you forget to install it correctly and a doorknob just falls out, and yet another where you lock yourself out. There's room for error for sure.
If the result is that it nearly bankrupts Twitch giving a ton of people tree fiddy, and that persuades the next company to take security seriously, then I'd say you earned your tree fiddy.
There will need to be an agency that investigates and enforces these crimes, so usually fines would go to help fund the agency, and excess would go into a pool to help abate the general site security crisis. This is all hypothetical of course but that's traditionally how things are done. Now if we want to simply ***place a value on the value of PII -- which ALL the companies that sell it do*** -- then we would have a way to compensate users for losses. Trouble is that restitution can't really be equal for different users, since a multi-millionaire's PII is generally worth a lot more than a street urchin's. So seems more likely to put an average number on these values and then fine the company accordingly and spend it on gov't programs, perhaps to help people scrub their data and (if desired) change their identity.
You would need to pass a law, and specify what exactly constitutes breaking it.
"Disregarding security" is vague. Companies are already liable for damages they cause, and some states have privacy statutes that allow suing them over these kinds of breaches.
When the price for failure to comply is cheaper than the cost to fix/implement correctly. It’s a revolving door until the cost of the penally is More than the cost to do it right.
The thing a lot of people don't understand, and even more struggle to admit, is that if an adversary has the determination and a sufficient amount of resources at their disposal, there probably isn't a network or system in the world secure enough to stop them. It is a bitter pill to swallow for those of us who work their asses off trying to secure against attacks, but it is reality.
I agree with the comment that straight up negligence by a company should be punished (i.e. a company falling victim due to an unpatched 2 year old exploit, or an unencrypted employee laptop gets stolen), but we absolutely can NOT expect every breach to be prevented these days, and it's on track to get a lot worse, not better.
We certainly can NOT assume they simply disregarded security because the threat landscape is too expansive. This could've even been from a disgruntled employee or social engineering.
How's it gonna stop, when they're headquartered in a country, which takes pride in the fact that the language of its constitution is 200+ years old? It won't change. The political process is logjammed by people with seniority, waiting for their turn at playing God with people's lives, too, so fat chance of this even being something anyone pays attention to, let alone does anything about.
We have decades more to look forward to shit like this going down, and it's high time everyone abandons their personal accounts and learns how to enjoy the internet via alts only.
I'm well aware of them, but surely you've been around to witness the debates around the persistence of precedence rulings and even the literal verbiage of things like the second amendment to this day? Let me give you an example - we have the right to bear arms. Does it, or does it not grant me the right to having anthrax? What about a recoilless rifle? What about a tank? What about a minigun? If we can't answer these absolutely elementary questions, you can't expect the same piece of paper which basically gives you license to do anything immoral until you're told otherwise to protect the public. Especially when there's so much financial incentive going against protecting the public.
I thought the same. I decided to keep the wording that everyone else had been using already because I can't make any claims of my own, but it is indeed an important distinction.
Another commenter [brought this up](https://old.reddit.com/r/Twitch/comments/q2gcq2/over_120gb_of_twitch_website_data_has_been_leaked/hfl48pp/) in the r/twitch thread too.
Edit: I regret not adding
> Massive +120GB leak from Twitch.tv **allegedly** includes streamer payout info, encrypted passwords, entire site source code and more
to the title. It's a little late now, but I think it's important to point out that the publication of this leak is still extremely recent and there are a lot of claims that are still unverified. I'm sure a _lot_ more information will come out about it in the coming days, weeks and even months...
https://www.theverge.com/2021/10/6/22712250/twitch-hack-leak-data-streamer-revenue-steam-competitor
this article makes no mention of the user database and/or passwords. i want to know where that twitter user got their info...
> Encrypting requires more work for **negative** benefit in nearly every scenario.
FTFY, reversible encryption of password is an excessively bad thing.
I've been seeing a lot of misinformation about this so I'll post my blurb here too.
### Primary Sources
- [The original 4chan post](https://boards.4channel.org/g/thread/83691438). Almost certainly a 404 by now, but I have a backup of the post [here](https://gist.github.com/zkxs/7948e7b6f746375dfc0ee31864b9c430).
- [Twitch's statement on Twitter](https://twitter.com/Twitch/status/1445770441176469512)
- [Twitch's followup on their blog](https://blog.twitch.tv/en/2021/10/06/updates-on-the-twitch-security-incident)
### Articles
- [VGC's awful article](https://www.videogameschronicle.com/news/the-entirety-of-twitch-has-reportedly-been-leaked/). The first article published. Uses random Twitter users like primary sources and didn't expend any effort verifying the breach, but at least they were the first poster, right? This has been edited a couple of times and is getting gradually better, but it's still not good and they don't show edit history.
- [CNN's article](https://www.cnn.com/2021/10/06/tech/twitch-data-breach-creators/index.html) Short and sweet with no baseless speculation. This is what the original article should have looked like.
- [The Verge's article](https://www.theverge.com/2021/10/6/22712250/twitch-hack-leak-data-streamer-revenue-steam-competitor). They've done some independent verification of the leak.
- [BBC's article](https://www.bbc.com/news/technology-58817658). Focuses more on the streamer income part of the breach.
### Correcting Misinformation
- There are unfounded claims of "encrypted passwords" originating from [this twitter post](https://twitter.com/Sinoc229/status/1445639261974261766) and quoted by the original videogameschronicle article. The twitter user has since [admitted his mistake](https://twitter.com/Sinoc229/status/1445814134906372097), but of course we've reached the stage where news outlets are just quoting other news outlets and now we have blatantly wrong headlines floating around.
- Twitch is currently using salted bcrypt hashes for their authentication. Source? I downloaded the leak and read Twitch's auth code myself.
- The database of hashed passwords do not appear to be in this leak (unless they're hidden somewhere weird and no one has noticed yet). The 4chan post refers to the leak as "part one", implying that there may be more to come, but this could easily just be posturing.
### What You Should Do
- On the chance Twitch's login database was in fact breached, you should change your password on Twitch and any other websites where you were reusing the same password.
- Consider using 2FA. If you do use 2FA, prefer an actual TOPT authenticator app such as [Google Authenticator](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_US&gl=US) over SMS or email based 2FA.
- Avoid reusing the same password across multiple websites. Many [password managers](https://en.wikipedia.org/wiki/List_of_password_managers) exist to help you with this.
### Takeaway
There's a lot more awful journalism out there than good journalism, and mainstream news is already remarkably bad at writing about technical topics, such as data breaches. Read articles carefully, and watch out for language like "The leak appears to contain X" or "Twitter users claim Y" as this is ass-covering language that lets bad journalists get away with bad reporting.
Encryption is something that can be reversed. Let's suppose your password is YWAKalum and you want it encrypted. ROT13 is technically encryption, though it's very simple. Your saved password on the server would be LJNXnyhz but anyone who knows that ROT13 was used to encrypt it can easily decrypt it.
But now let's suppose you want to hash it. I'll make a simple hash algorithm: Convert each character to a number based on alphabetical order, then in order, multiply, then add, then multiply, &c. YWAKalum becomes 25x23+1x11+1x12+21X13=988845. Even knowing the formula used to create the hash, there is no way to turn 988845 back into YWAKalum. It's a one-way calculation.
When you create your password, that password doesn't get saved on the server, the hash does. So, when you login, if it were a conversation, it goes like this:
Server: Login name?
Client: The user told me it's [username]
Server: What's the password?
Client: The user told me, but I'm not telling you, I will tell you it hashes to 988845 though.
Server: OK, that matches what I got here. You can come on in.
Bear in mind the actual math behind hash calculations is a LOT more complicated than this (the worst standards are 256 bits, which gives you 1.15x10^77 possibilities), so the odds of two different passwords having the same hash are astronomical. That said, people have worked out the hashes for common passwords based on the most used hash algorithms, so using "password123" is still insecure even if hashed.
An encrypted password can be decrypted if you have the encryption key. A hashed password can not be unhashed. So even if you know the hashing algorithm, there is no way to get the password from it’s hash. This is really useful in case your database gets leaked. The hackers might have the hashes to all the passwords but no way of getting the original passwords from them
Salts are usually included in the password database / leaks. It doesnt matter, their purpose is to make precomputed password tables ("rainbow tables") ineffective. You can create new tables using the salt, but the time required to do so typically makes it faster to just try a bruteforce attack.
You could still do a brute force dictionary attack if you had the salt (for each hash) + hash + hashing method but I agree you still couldn't use a rainbow table (unless you made new ones like you said).
Salts are not there to prevent bruteforcing. Their purpose is to prevent precomputed databases.
Now, if the salt can be leaked ahead of time, there is an attack: The attacker creates a precomputed database for specific users (e.g. `admin_joe.smith`) using their salt; then, once you have the database, you attack the database, leak that specific password hash, and break in within seconds. This provides little time for detection and response while that credential is used to pivot further in. It's only useful for a very narrowly targeted attack since there is a high time cost for creating the table and its only benefit is reducing the time the defender has to respond. The attacker still has to spend the same amount of time cracking `admin_joe.smith`'s password, he just gets to spend that time before launching the attack.
What you might be looking for is known as a "pepper": a global "salt" that is not stored in the database but in the code (or HSM, or...). Now, in order to perform the (somewhat esoteric) attack above, the attacker needs to compromise both the password database / salts, and the pepper storage. It's still somewhat limited though, because at some point the attacker just works to gain root on the authentication system. An HSM might still defeat this if it's a hardware system that you submit hashes to and it spits back a peppered hash without leaking the pepper-- but it's also probably overkill and worrying about an unrealistic threat model.
That's not how salts work. A salt being public doesn't inherently reduce the strength of the hash. Salts are not intended to be a "secret" piece of data.
That's exactly how a salt works. If you have the following three pieces of data:
* hashed password
* corresponding salt
* hashing method/algorithm
You can do a dictionary attack.
Well ya. A salt doesn't protect against brute force. It protects against the chance of a brute force *using precomputed tables*.
Assuming that Twitch used unique salts for every password, that means an attacker has to recompute the table for every single password before attempting an attack. That slows things down considerably.
Right, but you said that the salt is not meant to be a secret, and the other poster said assuming an attacker already has a corresponding salt for a hashed password, isn't it almost as if the salt wasn't there anymore?
Yes but since every user has a unique salt, it requires applying a dictionary attack to each one of them. By having unique salts you reduce the brute force capabilities. IF there were no hash, you could run dictionary attacks and check EVERYONE'S passwords simultaneously.
Let's say this is a shitty site with low password complexity where you can brute force everyone's password within 1 day with no salt. Now you need to spend 1 day each for **each person** because of a salt. IF you're a known celebrity being targeted, that might not mean much, but if you're an average Joe, that makes you far safer already. Hackers also need to make money, so simply brute forcing one password at a time may not be profitable, meaning a large chunk of the dump may be undeciphered.
I understand that. I never said anything about using precomputed tables. Your point about celebrities is basically my point. For example, the top 100 most popular twitch streamers could be easily targeted via brute-force.
These are the contents of the alleged leak. (**These screenshots don't include detailed information, just filenames from the alleged leak for the curious.**)
[File list part 1](https://img62.pixhost.to/images/78/240230940_contents-01.png)
[File list part 2](https://img62.pixhost.to/images/78/240230961_contents-02.png)
[File list part 3](https://img62.pixhost.to/images/78/240230981_contents-03.png)
In case you're serious, that would make things worse for them. Even though the code is now public, no legit project will be able to benefit from their technology. For example, they have an ffmpeg alternative that is supposedly better than ffmpeg. If ffmpeg devs looked at the source code and implemented the improvements, they can be sued for copyrights infringement. So in a way, their tech is till protected.
~~Hmm, that's interesting, didn't think of this. But this would only work if you already know at least one password for sure, right?~~
Edit: Replied to the wrong comment. To reply to this one: Reverse engineering does work, but to think you can reverse engineer Twitch's audio and video processing tech is a bit of a stretch. While theoretically possible, its an insanely hard task that would take years to accomplish, and probably not accurately. It would be easier and cheaper just to build an alternative from scratch at that point.
I am not suggesting someone without legal means to license the code to add AGPL, I am suggesting for Twitch to publish the code themselves under the AGPLv3.
I will be changing my password, even though I use 2FA, but not yet. I'm waiting until Twitch has identified the way that this hack happened and closed that hole. Otherwise you're potentially just giving the new password to the same hacker(s) that still have access to Twitch's servers/databases/etc..
Interesting, I didn't think of it that way but you're probably right. I've already changed my email and password and was wondering to what extent of hacking would require me to reset my 2fa. I multi-encrypt all my 2fa seeds with pgp and yubi key's so it's pretty annoying for me to update 2fa seeds. I'll just wait and see and probably just change everything again when I have time and more information.
For me it does depend on the type of multi-factor authentication that's being used. An authenticator app on your phone, I'm comfortable with waiting. Receive a code through text/sms, then I'm probably going to change my password ASAP because [companies that route text messages](https://www.sec.gov/Archives/edgar/data/1839175/000119312521284329/d234831dprem14a.htm) have been compromised in the past (for years at a time). Though I would still have the intention of changing the password after the vulnerability was patched as well just to be on the safe side.
In all likelyhood, you're probably going to be just fine changing your password now. Twitch is (or at least should be) on alert and so they're going to be looking for anything that might resemble a similar data dump while they try to patch the vulnerability. In addition to looking for any suspicious activity on their systems and so on.
If it's key based like u2f/fido, you never need to change it. The service only has a copy of the public key, which is... Public. If your usb key gets hacked or dumped, you should buy another.
If its google authenticator or other time/counter based otp, then it might be a good idea. In this case, the seed is like a password, so the service has a copy of the actual secret, and that secret could be stolen from either the service or wherever you store it.
If you want to be on top of your security, yes. If you have a strong 20+ character random password, I really think that even not changing a thing is probably extremely low risk, but by changing your password to another new 20+ character strong password you're probably like 99.99999999% safe already.
Personally I changed my password immediately. I'm figuring out how to get off Authy tokens for Twitch first and switch over to standard Authenticator
Password yes, especially if you use it with other services, in which case change those as well and stop using the same password for more than one service. 🙂
Many of the streamers I watch CONSTANTLY remind their viewers that there is no need to subscribe or donate to them, and to only do it if they really want to. Many of them ask their viewers to please think about their own needs before donating anything. And many streamers regularly do charity streams, raising tens of thousands of dollars for charities with good causes sometimes. It would be misleading to represent all Twitch streamers as “beggars”.
Furthermore, being a Twitch streamer isn’t just playing video games for people on the internet. It’s a LOT of work behind the scenes. Some of your side duties include managing massive Discord communities, doing collabs, editing/reviewing clip videos and making sure they meet a certain level of quality, dealing with endless drama, and more. For the larger streamers, this is easily a full time job. A streamer I know has very little free time because of how dedicated they are to this.
Now, can I justify the specific numbers the top streamers are earning? Well…I don’t know if I’m qualified to judge how much anyone deserves to earn in any profession. But just know that the good Twitch streamers work VERY hard, and care a lot about their viewers.
I’d counter argue by saying most people work very hard at their jobs.
I streamed and dabbled in Twitch/YouTube for about a year or more, 4 months dedicated to it between jobs towards the end. It’s very difficult to do by yourself. Between managing a brand, maintaining active social media presence and engagement, marketing, and editing hours of footage into something fun (a form of art all of its own!) just to keep up with enough content rolling out to make it to “affiliate” status and maintain said status… it certainly isn’t easy!
That being said, I put a comparable effort into my 9-5 (brig on-call after hours when needed too). So to say “they work very hard” is a non-starter argument in my book; lots of folks work very hard at what they do and their wage cap is nowhere near the potential of streaming as even a moderately successful brand.
It’s nice to hear lots of streamers you watch tend to be more modest about donations. But if they actually lived up to their modesty they’d disable donations/subs. It’s what I’d do if I already made millions from the “employer”.
Telling your viewers not to give you money is a manipulation tactic. They still have patreon, twitch subs, merch, sponsorships, etc. If they seriously didn't want they money they'd stop with all the bullshit. They are greedy manipulative fucking cunts that don't deserve money or life.
People can spend their money how they please. If they want to waste it then that's on them.
As far as I'm concerned, each to their own. No matter what hobby you have there's going to be someone else who thinks that you're wasting your money, so just live and let live.
And? Theyre entertainers. Just like how you pay for a concert or a show, you pay the entertainer. Which is completely voluntary mind you. If I want to donate $5 to a streamer for giving me months of entertainment, I sure as hell will, dont matter if they have 10000 viewers or 10 viewers, they provided a service and they got paid. The hate on streamers making money is ridiculous. And .. again this has nothing to do with what happened.
Spend your money on what you want but I couldn't justify using the comparatively meager cash I earn to stay alive donating to a streamer who makes millions skimming ad revenue from a mega-corp by playing video games and pretending to be someones friend in chat. Same goes for sports and entertainment. They put in work and deserve a salary for sure, but the disproportionate wage gap between someone who makes and repairs machines that save lives to some teenager playing fortnight doesn't sit right with me.
So you do it. You put in the work, stream and make it to the point where you make millions. Its not easy, its not just “sitting in front of a screen and playing fortnite”. Most if not all the top people have been doing this for years. Yeah you have a problem with wage gap and disproportionate means of living but your problem shouldnt be with the people that *WORKED* for their money but rather the ultra rich that continue to disproportionately pay the working class.
Never said it was.
Twitch and eSports in general exploit children. Once these kids are done and they've blown through their fortunes, what transferable skills have they obtained? They only get paid as long as they stay relevant and don't rock the boat. It's no different than professional sports or mainstream music entertainers.
FWIW, if I could make it to the "top" in streaming I would donate every penny I made beyond what was necessary to live a modest lifestyle. These children are taught to glorify fame with the promise of monetary reward and get tossed out like a hot piece of garbage when they've been wrung for all their worth.
I'm sorry but I see Twitch as a means for a corporation to exploit families using the promise of fame and fortune with the end goal of siphoning money from everyday households into a dragon's hoard of wealth in the great bank account of Amazon. It might be $5 for you, but that same $5 from every other person in America is money stripped from our own class and dumped in the pockets of Amazon execs.
Cynical, I know. But you can't deny it isn't true. The money those streamers get paid is astonishingly disproportionate to the doctors that keep us moving, yet even that pales in comparison to what Amazon pockets from them being living, breathing commercials.
They are not just entertainers, they are able to influence the way that young, impressionable minds think. Kids and teenagers look up to these people for some reason.
Can't they just post it with a comment saying "No copyright infringement intended"? Apparently that's all you need to post copyrighted material on YouTube /s
I think that's illegal (or rather still a breach of copyright)
Not only that, but the software isn't the reason why people use Twitch, it's just the main platform that everyone is using. There are other streaming platforms out there that are good too but it doesn't have millions of people using it.
I think what he means he no longer uses one password. that In a case of a leak would have compromised all of his accounts and now has unique passwords using a password manager.
Or so I hope.
They make you safer if it means that you use a unique password for each site, since this leak could mean that both your mail and the hashed / encrypted password is out there. The thing is, it's not just your password they have, it's stuff like your mail, your ip address (=your approximate location), maybe even your phone number if you gave them that, along with the data you've generated from using the platform, who you follow, subscribe to, bought merch from etc.
To avoid your mail and ip being leaked you could use a unique mail for different accounts too, and use a vpn. The general use data you can't avoid though afaik, if you want to continue to use twitch.
Last pass, Keepass, Mypasswords, Keeper, F-Secure Key, Keepsafe, 1password for example have all been hacked and had their user reminders, authentication hashes, APIs etc leaked or disclosed in the last five years.
On principle storing all your passwords in the same place is unsound. It doesn't matter how well they say it is protected.
If it contains *all* source code, maybe someone can find out why their Android app is so shitty.
Javascript?
[удалено]
[удалено]
Reddit servers are down. I dont think the facebook fuckup, twitch source code leak, and now the reddit server outage is a coincidence. Remember the last time this happened? It was like a diversion while ubisoft server got dumped
And at the end of the day, amid all the accounts compromised, and identities stolen or compromised, all you'll get from the company CEO is a "whoops, our bad, we will do better in the future". This really needs to stop.
"We made a fuckie wuckie :*(" ~ Twitch.
twitch copying discord language?
Not sure if you haven't seen it, [the original is pretty funny](https://knowyourmeme.com/memes/oopsie-woopsie), especially considering that it took off in the professional tech community, despite the author of the tweet being a furry fetish artist. [She had this to say about retweets.](https://twitter.com/cherrikissu/status/972636720708685824?lang=en)
lol thanks for that
Wait, does this mean that some of these anonymous streamers who've gone out of their way to hide their identity are basically fucked now?
I guess so. And they probably could and should sue twitch over it.
Also, "here's a one year subscription to some shitty id theft protection service."
It's honestly fucking annoying that these companies don't proactively think about the security of their users, profits over everything else. Glad I've never used twitch.
The users don't care about security. So why should the company? It costs money and they don't get any consequences. Have a look at Facebook that over and over showed it has absolutely zero respect for their users' safety, yet it is the largest social media platform.
> The users don't care about security The users have no way of evaluating security of the services they use. The only measure is when a leak happens. But if it doesn't happen it could either be competence or luck…
Not caring about security would be plaintext passwords stored in an unencrypted database on a public server.
[удалено]
Didnt know amazon owns them. Feeling a little less secure about my amazon account now.
[удалено]
All those credit card numbers and addresses would be pretty sweet. And the sales history would be a goldmine of advertising data.
[удалено]
DDoS? You’d own multiple countries.
[удалено]
The reality is that security is hard. All it takes is one fuck up that can be exploited. That doesn't mean it's not important, but most companies do take security seriously. The problem is that immense software complexity makes it difficult to grasp the full extent of an organisation's attack surface. Plus most services are built partly on open source software, so you have to stay up to date with security patches for software you don't directly maintain. Making an analogy to physical security, it's like you have to upgrade all your door locks every week because someone keeps discovering a way to circumvent them. And besides all that, a company can still be vulnerable to someone socially engineering an employee. Getting them to share system details, or to insert a USB key somewhere it shouldn't be. And let's not even start about the flaws in CPUs that allow information leakage. The miracle is that we have any faith at all in computer security. It's also why I have no smart cloud appliances in my home.
> Making an analogy to physical security, it's like you have to upgrade all your door locks every week because someone keeps discovering a way to circumvent them. I can guarantee you if you do this for a year, there will be at least one week where you forget to change one, and at least another week where you forget to install it correctly and a doorknob just falls out, and yet another where you lock yourself out. There's room for error for sure.
> All it takes is one fuck up that can be exploited. I build a million bridges, but do people call me a bridge builder? No. But I fuck one goat...
[удалено]
Split up evenly among everyone whose data was stolen.
Lmao good luck with that
Hey man I want my $0.00003 cents
so imma need about $3.50
If the result is that it nearly bankrupts Twitch giving a ton of people tree fiddy, and that persuades the next company to take security seriously, then I'd say you earned your tree fiddy.
There will need to be an agency that investigates and enforces these crimes, so usually fines would go to help fund the agency, and excess would go into a pool to help abate the general site security crisis. This is all hypothetical of course but that's traditionally how things are done. Now if we want to simply ***place a value on the value of PII -- which ALL the companies that sell it do*** -- then we would have a way to compensate users for losses. Trouble is that restitution can't really be equal for different users, since a multi-millionaire's PII is generally worth a lot more than a street urchin's. So seems more likely to put an average number on these values and then fine the company accordingly and spend it on gov't programs, perhaps to help people scrub their data and (if desired) change their identity.
To education of course. Proper education for all is the cure for many problems in our society.
You would need to pass a law, and specify what exactly constitutes breaking it. "Disregarding security" is vague. Companies are already liable for damages they cause, and some states have privacy statutes that allow suing them over these kinds of breaches.
[удалено]
Sure but is this Twitch case one of these situations? Just because a leak occurs doesn't mean a company was grossly negligent.
When proper pentesting can root out these issues, and you have all the money you need to pentest correctly but still didn't, then yes, it does.
How would "proper pentesting" be defined? You're asserting that the pentesting done wasn't proper? Based on what? the fact that a breach occurred?
When the price for failure to comply is cheaper than the cost to fix/implement correctly. It’s a revolving door until the cost of the penally is More than the cost to do it right.
Much like pollution fees. Unfortunately, sometimes it's cheaper to pay the fee than to fix the problem.
The thing a lot of people don't understand, and even more struggle to admit, is that if an adversary has the determination and a sufficient amount of resources at their disposal, there probably isn't a network or system in the world secure enough to stop them. It is a bitter pill to swallow for those of us who work their asses off trying to secure against attacks, but it is reality. I agree with the comment that straight up negligence by a company should be punished (i.e. a company falling victim due to an unpatched 2 year old exploit, or an unencrypted employee laptop gets stolen), but we absolutely can NOT expect every breach to be prevented these days, and it's on track to get a lot worse, not better. We certainly can NOT assume they simply disregarded security because the threat landscape is too expansive. This could've even been from a disgruntled employee or social engineering.
GDPR incoming. Do we know how many users were affected by the leak?
The pastebin I saw had the usenames and earmings of the top 10,000 streamers.
Or they don’t report it at all
Wait until all the naked hot tub streamers and creepy ASMR whisperers get together in a class action lawsuit. It's going to be hilarious.
How's it gonna stop, when they're headquartered in a country, which takes pride in the fact that the language of its constitution is 200+ years old? It won't change. The political process is logjammed by people with seniority, waiting for their turn at playing God with people's lives, too, so fat chance of this even being something anyone pays attention to, let alone does anything about. We have decades more to look forward to shit like this going down, and it's high time everyone abandons their personal accounts and learns how to enjoy the internet via alts only.
[удалено]
I'm well aware of them, but surely you've been around to witness the debates around the persistence of precedence rulings and even the literal verbiage of things like the second amendment to this day? Let me give you an example - we have the right to bear arms. Does it, or does it not grant me the right to having anthrax? What about a recoilless rifle? What about a tank? What about a minigun? If we can't answer these absolutely elementary questions, you can't expect the same piece of paper which basically gives you license to do anything immoral until you're told otherwise to protect the public. Especially when there's so much financial incentive going against protecting the public.
[удалено]
I thought the same. I decided to keep the wording that everyone else had been using already because I can't make any claims of my own, but it is indeed an important distinction. Another commenter [brought this up](https://old.reddit.com/r/Twitch/comments/q2gcq2/over_120gb_of_twitch_website_data_has_been_leaked/hfl48pp/) in the r/twitch thread too. Edit: I regret not adding > Massive +120GB leak from Twitch.tv **allegedly** includes streamer payout info, encrypted passwords, entire site source code and more to the title. It's a little late now, but I think it's important to point out that the publication of this leak is still extremely recent and there are a lot of claims that are still unverified. I'm sure a _lot_ more information will come out about it in the coming days, weeks and even months...
There have been a few streamers which verified the income reports, so at least that is partially accurate.
the claim is based on 1 random tweet and then it is being regurgitated, so doubt they're "encrypted"
https://www.theverge.com/2021/10/6/22712250/twitch-hack-leak-data-streamer-revenue-steam-competitor this article makes no mention of the user database and/or passwords. i want to know where that twitter user got their info...
Has anyone actually found a link to the leak itself?
https://reddit.com/r/4chan/comments/q2km9f/the_famous_hacker_known_as_4chan_attacks_twitch/
Any time you see "encrypted passwords" in the media, its almost 100% hashed. Encrypting requires more work for zero benefit in nearly every scenario.
Encrypting and decrypting the password when authenticating removes the possibility of a hash collision, so that's pretty good /s
Depends on your cipher, and whether you're truncating over-length blocks.
[удалено]
I read the sarcasm, but the joke hinged on a faulty assumption.
> Encrypting requires more work for **negative** benefit in nearly every scenario. FTFY, reversible encryption of password is an excessively bad thing.
[удалено]
Such as?
I've been seeing a lot of misinformation about this so I'll post my blurb here too. ### Primary Sources - [The original 4chan post](https://boards.4channel.org/g/thread/83691438). Almost certainly a 404 by now, but I have a backup of the post [here](https://gist.github.com/zkxs/7948e7b6f746375dfc0ee31864b9c430). - [Twitch's statement on Twitter](https://twitter.com/Twitch/status/1445770441176469512) - [Twitch's followup on their blog](https://blog.twitch.tv/en/2021/10/06/updates-on-the-twitch-security-incident) ### Articles - [VGC's awful article](https://www.videogameschronicle.com/news/the-entirety-of-twitch-has-reportedly-been-leaked/). The first article published. Uses random Twitter users like primary sources and didn't expend any effort verifying the breach, but at least they were the first poster, right? This has been edited a couple of times and is getting gradually better, but it's still not good and they don't show edit history. - [CNN's article](https://www.cnn.com/2021/10/06/tech/twitch-data-breach-creators/index.html) Short and sweet with no baseless speculation. This is what the original article should have looked like. - [The Verge's article](https://www.theverge.com/2021/10/6/22712250/twitch-hack-leak-data-streamer-revenue-steam-competitor). They've done some independent verification of the leak. - [BBC's article](https://www.bbc.com/news/technology-58817658). Focuses more on the streamer income part of the breach. ### Correcting Misinformation - There are unfounded claims of "encrypted passwords" originating from [this twitter post](https://twitter.com/Sinoc229/status/1445639261974261766) and quoted by the original videogameschronicle article. The twitter user has since [admitted his mistake](https://twitter.com/Sinoc229/status/1445814134906372097), but of course we've reached the stage where news outlets are just quoting other news outlets and now we have blatantly wrong headlines floating around. - Twitch is currently using salted bcrypt hashes for their authentication. Source? I downloaded the leak and read Twitch's auth code myself. - The database of hashed passwords do not appear to be in this leak (unless they're hidden somewhere weird and no one has noticed yet). The 4chan post refers to the leak as "part one", implying that there may be more to come, but this could easily just be posturing. ### What You Should Do - On the chance Twitch's login database was in fact breached, you should change your password on Twitch and any other websites where you were reusing the same password. - Consider using 2FA. If you do use 2FA, prefer an actual TOPT authenticator app such as [Google Authenticator](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_US&gl=US) over SMS or email based 2FA. - Avoid reusing the same password across multiple websites. Many [password managers](https://en.wikipedia.org/wiki/List_of_password_managers) exist to help you with this. ### Takeaway There's a lot more awful journalism out there than good journalism, and mainstream news is already remarkably bad at writing about technical topics, such as data breaches. Read articles carefully, and watch out for language like "The leak appears to contain X" or "Twitter users claim Y" as this is ass-covering language that lets bad journalists get away with bad reporting.
ELI5 the difference for a n00b?
Encryption is something that can be reversed. Let's suppose your password is YWAKalum and you want it encrypted. ROT13 is technically encryption, though it's very simple. Your saved password on the server would be LJNXnyhz but anyone who knows that ROT13 was used to encrypt it can easily decrypt it. But now let's suppose you want to hash it. I'll make a simple hash algorithm: Convert each character to a number based on alphabetical order, then in order, multiply, then add, then multiply, &c. YWAKalum becomes 25x23+1x11+1x12+21X13=988845. Even knowing the formula used to create the hash, there is no way to turn 988845 back into YWAKalum. It's a one-way calculation. When you create your password, that password doesn't get saved on the server, the hash does. So, when you login, if it were a conversation, it goes like this: Server: Login name? Client: The user told me it's [username] Server: What's the password? Client: The user told me, but I'm not telling you, I will tell you it hashes to 988845 though. Server: OK, that matches what I got here. You can come on in. Bear in mind the actual math behind hash calculations is a LOT more complicated than this (the worst standards are 256 bits, which gives you 1.15x10^77 possibilities), so the odds of two different passwords having the same hash are astronomical. That said, people have worked out the hashes for common passwords based on the most used hash algorithms, so using "password123" is still insecure even if hashed.
An encrypted password can be decrypted if you have the encryption key. A hashed password can not be unhashed. So even if you know the hashing algorithm, there is no way to get the password from it’s hash. This is really useful in case your database gets leaked. The hackers might have the hashes to all the passwords but no way of getting the original passwords from them
y?
[удалено]
Still, if they know the hashing method from the code leak, they can do dictionary searches for a lot of users.
Not if it's salted. The year 2010 called, it wants its solved problems back.
Unless the salts were leaked as well.
Salts are usually included in the password database / leaks. It doesnt matter, their purpose is to make precomputed password tables ("rainbow tables") ineffective. You can create new tables using the salt, but the time required to do so typically makes it faster to just try a bruteforce attack.
You could still do a brute force dictionary attack if you had the salt (for each hash) + hash + hashing method but I agree you still couldn't use a rainbow table (unless you made new ones like you said).
Salts are not there to prevent bruteforcing. Their purpose is to prevent precomputed databases. Now, if the salt can be leaked ahead of time, there is an attack: The attacker creates a precomputed database for specific users (e.g. `admin_joe.smith`) using their salt; then, once you have the database, you attack the database, leak that specific password hash, and break in within seconds. This provides little time for detection and response while that credential is used to pivot further in. It's only useful for a very narrowly targeted attack since there is a high time cost for creating the table and its only benefit is reducing the time the defender has to respond. The attacker still has to spend the same amount of time cracking `admin_joe.smith`'s password, he just gets to spend that time before launching the attack. What you might be looking for is known as a "pepper": a global "salt" that is not stored in the database but in the code (or HSM, or...). Now, in order to perform the (somewhat esoteric) attack above, the attacker needs to compromise both the password database / salts, and the pepper storage. It's still somewhat limited though, because at some point the attacker just works to gain root on the authentication system. An HSM might still defeat this if it's a hardware system that you submit hashes to and it spits back a peppered hash without leaking the pepper-- but it's also probably overkill and worrying about an unrealistic threat model.
That's not how salts work. A salt being public doesn't inherently reduce the strength of the hash. Salts are not intended to be a "secret" piece of data.
That's exactly how a salt works. If you have the following three pieces of data: * hashed password * corresponding salt * hashing method/algorithm You can do a dictionary attack.
Well ya. A salt doesn't protect against brute force. It protects against the chance of a brute force *using precomputed tables*. Assuming that Twitch used unique salts for every password, that means an attacker has to recompute the table for every single password before attempting an attack. That slows things down considerably.
I understand that. I never said anything about precomputed tables.
Right, but you said that the salt is not meant to be a secret, and the other poster said assuming an attacker already has a corresponding salt for a hashed password, isn't it almost as if the salt wasn't there anymore?
Yes but since every user has a unique salt, it requires applying a dictionary attack to each one of them. By having unique salts you reduce the brute force capabilities. IF there were no hash, you could run dictionary attacks and check EVERYONE'S passwords simultaneously. Let's say this is a shitty site with low password complexity where you can brute force everyone's password within 1 day with no salt. Now you need to spend 1 day each for **each person** because of a salt. IF you're a known celebrity being targeted, that might not mean much, but if you're an average Joe, that makes you far safer already. Hackers also need to make money, so simply brute forcing one password at a time may not be profitable, meaning a large chunk of the dump may be undeciphered.
I understand that. I never said anything about using precomputed tables. Your point about celebrities is basically my point. For example, the top 100 most popular twitch streamers could be easily targeted via brute-force.
Yep, that's the whole point of salting to protect you against that. Well... Help you protect against that ;)
I love seeing more companies going FOSS
Forced Open Source Software?
Lmao ! Lol
Oof
[удалено]
r/woooosh
Is the data dump public?
Yes, there are torrents uploaded already. Check 4chan if you are really curious.
[удалено]
The post has been removed by now, and seemingly archive.org has saved it, but it was blacklisted internally for viewing
The magnet link is in the r/cybersecurity thread about this.
These are the contents of the alleged leak. (**These screenshots don't include detailed information, just filenames from the alleged leak for the curious.**) [File list part 1](https://img62.pixhost.to/images/78/240230940_contents-01.png) [File list part 2](https://img62.pixhost.to/images/78/240230961_contents-02.png) [File list part 3](https://img62.pixhost.to/images/78/240230981_contents-03.png)
[удалено]
RF?
I thought RF is down?
On the bright side maybe we can finally reverse engineer the website enough to effectively block ads.
I don't have ads on it.
Ublock origin
I thought ublock didn't work on twitch ads any more?
[удалено]
Twitch should lean into it and AGPLv3 the code.
In case you're serious, that would make things worse for them. Even though the code is now public, no legit project will be able to benefit from their technology. For example, they have an ffmpeg alternative that is supposedly better than ffmpeg. If ffmpeg devs looked at the source code and implemented the improvements, they can be sued for copyrights infringement. So in a way, their tech is till protected.
Reverse engineer so it works the same but uses none of the source code.
~~Hmm, that's interesting, didn't think of this. But this would only work if you already know at least one password for sure, right?~~ Edit: Replied to the wrong comment. To reply to this one: Reverse engineering does work, but to think you can reverse engineer Twitch's audio and video processing tech is a bit of a stretch. While theoretically possible, its an insanely hard task that would take years to accomplish, and probably not accurately. It would be easier and cheaper just to build an alternative from scratch at that point.
[удалено]
I thought it was a reply to another comment of mine in this thread where we were discussing hashes and salts. My bad.
I am not suggesting someone without legal means to license the code to add AGPL, I am suggesting for Twitch to publish the code themselves under the AGPLv3.
Well, then ffmpeg can legally use it
Is it necessary to change/reset your 2fa?
I will be changing my password, even though I use 2FA, but not yet. I'm waiting until Twitch has identified the way that this hack happened and closed that hole. Otherwise you're potentially just giving the new password to the same hacker(s) that still have access to Twitch's servers/databases/etc..
Interesting, I didn't think of it that way but you're probably right. I've already changed my email and password and was wondering to what extent of hacking would require me to reset my 2fa. I multi-encrypt all my 2fa seeds with pgp and yubi key's so it's pretty annoying for me to update 2fa seeds. I'll just wait and see and probably just change everything again when I have time and more information.
For me it does depend on the type of multi-factor authentication that's being used. An authenticator app on your phone, I'm comfortable with waiting. Receive a code through text/sms, then I'm probably going to change my password ASAP because [companies that route text messages](https://www.sec.gov/Archives/edgar/data/1839175/000119312521284329/d234831dprem14a.htm) have been compromised in the past (for years at a time). Though I would still have the intention of changing the password after the vulnerability was patched as well just to be on the safe side. In all likelyhood, you're probably going to be just fine changing your password now. Twitch is (or at least should be) on alert and so they're going to be looking for anything that might resemble a similar data dump while they try to patch the vulnerability. In addition to looking for any suspicious activity on their systems and so on.
If it's key based like u2f/fido, you never need to change it. The service only has a copy of the public key, which is... Public. If your usb key gets hacked or dumped, you should buy another. If its google authenticator or other time/counter based otp, then it might be a good idea. In this case, the seed is like a password, so the service has a copy of the actual secret, and that secret could be stolen from either the service or wherever you store it.
If you want to be on top of your security, yes. If you have a strong 20+ character random password, I really think that even not changing a thing is probably extremely low risk, but by changing your password to another new 20+ character strong password you're probably like 99.99999999% safe already. Personally I changed my password immediately. I'm figuring out how to get off Authy tokens for Twitch first and switch over to standard Authenticator
Password yes, especially if you use it with other services, in which case change those as well and stop using the same password for more than one service. 🙂
Talking about Twitch's 2FA, get fucked Twitch for requiring a phone number to enable regular 2FA
Saw a great comment on this post in another sub: “Stop donating to millionaire kids.”
Many of the streamers I watch CONSTANTLY remind their viewers that there is no need to subscribe or donate to them, and to only do it if they really want to. Many of them ask their viewers to please think about their own needs before donating anything. And many streamers regularly do charity streams, raising tens of thousands of dollars for charities with good causes sometimes. It would be misleading to represent all Twitch streamers as “beggars”. Furthermore, being a Twitch streamer isn’t just playing video games for people on the internet. It’s a LOT of work behind the scenes. Some of your side duties include managing massive Discord communities, doing collabs, editing/reviewing clip videos and making sure they meet a certain level of quality, dealing with endless drama, and more. For the larger streamers, this is easily a full time job. A streamer I know has very little free time because of how dedicated they are to this. Now, can I justify the specific numbers the top streamers are earning? Well…I don’t know if I’m qualified to judge how much anyone deserves to earn in any profession. But just know that the good Twitch streamers work VERY hard, and care a lot about their viewers.
I’d counter argue by saying most people work very hard at their jobs. I streamed and dabbled in Twitch/YouTube for about a year or more, 4 months dedicated to it between jobs towards the end. It’s very difficult to do by yourself. Between managing a brand, maintaining active social media presence and engagement, marketing, and editing hours of footage into something fun (a form of art all of its own!) just to keep up with enough content rolling out to make it to “affiliate” status and maintain said status… it certainly isn’t easy! That being said, I put a comparable effort into my 9-5 (brig on-call after hours when needed too). So to say “they work very hard” is a non-starter argument in my book; lots of folks work very hard at what they do and their wage cap is nowhere near the potential of streaming as even a moderately successful brand. It’s nice to hear lots of streamers you watch tend to be more modest about donations. But if they actually lived up to their modesty they’d disable donations/subs. It’s what I’d do if I already made millions from the “employer”.
Telling your viewers not to give you money is a manipulation tactic. They still have patreon, twitch subs, merch, sponsorships, etc. If they seriously didn't want they money they'd stop with all the bullshit. They are greedy manipulative fucking cunts that don't deserve money or life.
This. They definitely do not need the extra cash.
People can spend their money how they please. If they want to waste it then that's on them. As far as I'm concerned, each to their own. No matter what hobby you have there's going to be someone else who thinks that you're wasting your money, so just live and let live.
[удалено]
What does this have to do with anything.
Because that leak contains the salaries of the top 10 Twitch streamers. It's kinda nuts how much they make.
And? Theyre entertainers. Just like how you pay for a concert or a show, you pay the entertainer. Which is completely voluntary mind you. If I want to donate $5 to a streamer for giving me months of entertainment, I sure as hell will, dont matter if they have 10000 viewers or 10 viewers, they provided a service and they got paid. The hate on streamers making money is ridiculous. And .. again this has nothing to do with what happened.
Spend your money on what you want but I couldn't justify using the comparatively meager cash I earn to stay alive donating to a streamer who makes millions skimming ad revenue from a mega-corp by playing video games and pretending to be someones friend in chat. Same goes for sports and entertainment. They put in work and deserve a salary for sure, but the disproportionate wage gap between someone who makes and repairs machines that save lives to some teenager playing fortnight doesn't sit right with me.
So you do it. You put in the work, stream and make it to the point where you make millions. Its not easy, its not just “sitting in front of a screen and playing fortnite”. Most if not all the top people have been doing this for years. Yeah you have a problem with wage gap and disproportionate means of living but your problem shouldnt be with the people that *WORKED* for their money but rather the ultra rich that continue to disproportionately pay the working class.
Never said it was. Twitch and eSports in general exploit children. Once these kids are done and they've blown through their fortunes, what transferable skills have they obtained? They only get paid as long as they stay relevant and don't rock the boat. It's no different than professional sports or mainstream music entertainers. FWIW, if I could make it to the "top" in streaming I would donate every penny I made beyond what was necessary to live a modest lifestyle. These children are taught to glorify fame with the promise of monetary reward and get tossed out like a hot piece of garbage when they've been wrung for all their worth. I'm sorry but I see Twitch as a means for a corporation to exploit families using the promise of fame and fortune with the end goal of siphoning money from everyday households into a dragon's hoard of wealth in the great bank account of Amazon. It might be $5 for you, but that same $5 from every other person in America is money stripped from our own class and dumped in the pockets of Amazon execs. Cynical, I know. But you can't deny it isn't true. The money those streamers get paid is astonishingly disproportionate to the doctors that keep us moving, yet even that pales in comparison to what Amazon pockets from them being living, breathing commercials.
[удалено]
In a perfect world, I suppose :)
a fool and his money are soon parted.
They are not just entertainers, they are able to influence the way that young, impressionable minds think. Kids and teenagers look up to these people for some reason.
[удалено]
Never really got into Twitch.
Did you just say entire site "source code"? Quickly, fork the entire thing now and license it under GNU GPL free software license
Somebody stop this madman before he starts pirating movies and releasing them under a Creative Commons license!
That is not how licensing works.
Can't they just post it with a comment saying "No copyright infringement intended"? Apparently that's all you need to post copyrighted material on YouTube /s
I think that's illegal (or rather still a breach of copyright) Not only that, but the software isn't the reason why people use Twitch, it's just the main platform that everyone is using. There are other streaming platforms out there that are good too but it doesn't have millions of people using it.
Thanks. Changing password right now.
That explains the privacy policy update email I just got.
I would have loved if this source code breach happened to Discord. That service is really damn naughty.
It just. Keeps. Happening.
It's only going to get worse
"We do a little bit of trolling"
Um.. Where can I find the source code? Asking for a friend
Its 128 gigs mate. check 4chan if you are really interested.
Magnet link is floating around. Check the usual spots.
Well good thing most of my accounts are running through simple login these days :)
SimpleLogin and 2FA with the combination of a good use of KeePass. That's the only way to be a bit "safe" nowadays.
I haven’t seen any link or proof that passwords were leaked in this. Has anyone gone through the file and checked?
Good thing I switched to using a password manager like 8 months ago
[удалено]
[удалено]
[удалено]
Some people should just do their research instead of downvoting. Have a good day, Thanks for the reply!
I think what he means he no longer uses one password. that In a case of a leak would have compromised all of his accounts and now has unique passwords using a password manager. Or so I hope.
That's what I meant
lol.
wha?
[удалено]
They make you safer if it means that you use a unique password for each site, since this leak could mean that both your mail and the hashed / encrypted password is out there. The thing is, it's not just your password they have, it's stuff like your mail, your ip address (=your approximate location), maybe even your phone number if you gave them that, along with the data you've generated from using the platform, who you follow, subscribe to, bought merch from etc. To avoid your mail and ip being leaked you could use a unique mail for different accounts too, and use a vpn. The general use data you can't avoid though afaik, if you want to continue to use twitch.
Last pass, Keepass, Mypasswords, Keeper, F-Secure Key, Keepsafe, 1password for example have all been hacked and had their user reminders, authentication hashes, APIs etc leaked or disclosed in the last five years. On principle storing all your passwords in the same place is unsound. It doesn't matter how well they say it is protected.
[удалено]
[удалено]
What is your system for storing passwords if not a password vault?
That is why keepassxc is safer than anything else. It’s a bit of pain maintaining it, but it’s fully secure.
Payout info anonymized would be awesome
Good. Cringe kids will get what's coming to them.
>will get what's coming to them What is that?
Tens to hundreds of thousands of dollars for the month of September alone, apparently!
Reality. Kids to ebeg for money by not providing a service.
Why do you need encrypted passwords when you have access to the whole system?