Follow

PSA: Twitch 

go change your passwords and activate 2FA NOW!

2FA everywhere you can.

Please boost.

PSA: Twitch 

2FA seeds were leaked.

You'll need to deactivate 2FA, and re-enable it to make it secure again.

Please boost.

PSA: Twitch 

Waiting to find out that the Amazon federated login creds were also held locally at Twitch, and this becomes a full blown Amazon leak.

Always the sidechannels.

@thegibson @faoluin @oreolek Yeah, I think I"m going to spend the day updating all my passwords, for everything.

It's probably about due, anyway,

@faoluin @TheGibson @oreolek general question about that: this sort of breach would only allow intercepting the 2fa code itself, right? no passwords or other credentials? (unless they could somehow get that information using the recipient phone number)

@carcinopithecus @faoluin @oreolek password hases and salts were captured as well.

The kimono is basically open according to early research.

@oreolek
We want to make access to our service extra secure. Therefore we ask for even more personal data.
:awesome:
@thegibson

@oreolek @TheGibson sure enough... can't change my info without a phone number. dumbasses

@oreolek @TheGibson
Oh it gets better. Their verification of phone numbers is currently broken and doesn't work

PSA: Twitch 

@TheGibson This is really an interesting week innit.

PSA: Twitch 

@TheGibson Do we have a proof check on this?

PSA: Twitch 

@dotUser i have had it confirmed by a third party. I am not personally reviewing the data... but it looks like they got everything... as such, better safe than sorry.

PSA: Twitch 

@TheGibson Just wanted to be sure, if they're someone you trust to be honest I'll be sure my stream crew is informed.

PSA: Twitch 

@dotUser I trust them, and even if they are wrong, it's a good preventative measure to take in light of this.

PSA: Twitch 

@TheGibson Is there a Part2 dropped, some places people are saying part1 doesn't have important data.

PSA: Twitch 

@dotUser I haven't seen a part 2.

But early reports of unimportant data has been proven false... you may be hearing echoes.

PSA: Twitch 

@TheGibson I'm mostly trying to be sure everything's been verified. It's really irritating how many incompetent people regurgitate shit everywhere.

PSA: Twitch 

@TheGibson There's a place or two I'm in where some folks fancy themselves "hackers" using the white/black terminology you see from kids too.

PSA: Twitch 

@dotUser Agreed. At this point this is a better safe than sorry situation.

PSA: Twitch 

@dotUser @TheGibson
Do it anyways. Worst case you wasted 5 minutes. Best case: you prevented someone getting past your 2FA.

PSA: Twitch 

@thegibson should this process be generally added to the regular password rotation habit?

PSA: Twitch 

@feonixrift requires a leak to have occurred, so after this week, I'd say yes.

re: PSA: Twitch 

@thegibson ha my lack of 2fa vindicated!

PSA: Twitch 

@masstransitkrow I'm like 60% sure this happened at this point, so better safe than sorry.

PSA: Twitch 

@TheGibson Did you learn this looking at the leak itself, or from another source?

PSA: Twitch 

@polyplacophora read the thread.

My eyes are not the source, but trusted eyes are.

PSA: Twitch 

@TheGibson just so you know, at least on my end, the thread is only three toots long and the one I initially replied to is the second one. I'll go look at your account to see if the thread was broken and there's more I missed.

PSA: Twitch 

@polyplacophora i am not mad specifically, I just had a bunch of those questions all at once.

PSA: Twitch 

@thegibson the virgin 2FA vs the chad using a several hundred character long password

PSA: Twitch 

@thegibson No way to do that without giving them my phone number, as far as I can see. 😠

Makes me feel like nuking my account from orbit instead, but I can only "disable" it, which is ... a bit unclear. Fuck.

Time for a support case, I guess.

PSA: Twitch 

@liebach loooonnnngggg password is acceptable as well.

PSA: Twitch 

@thegibson I always have 20+ character unique and completely random passwords, and just changed it.

PSA: Twitch 

@thegibson "Your account has been deleted" Hooray!

re: PSA: Twitch 

@TheGibson fffffffuuuuuuuuuuhhhhhh

PSA: Twitch 

@TheGibson What do you mean, cause I'm using a separate app.... ?

PSA: Twitch 

@TheGibson OMFG. Thank you for telling me this! I would never have known. I can't believe twitch isn't even putting up a banner on their site. Shockingly irresponsible!

PSA: Twitch 

@objectinspace

I 5hink they are still assessing the scope of the breach. My trusted researchers have a 80% confidence level, so we are past "better safe than sorry" in my book.

PSA: Twitch 

@TheGibson Sure, but they know that passwords are breached, they should be force logging out everybody, or at least put up a notification on the website.

PSA: Twitch 

@TheGibson ..ANd, as soon as I say that, I get force logged out and told to update my password. Good.

PSA: Twitch 

@objectinspace so have you realized that Trump lost, or I gotta block yo' ass?

@TheGibson Uh, not sure what that has to do with anything, but I never voted for Trump and I believe that he lost legitimately. That said, the electronic voting systems we use seem woefully insecure, and we need to get serious about that, like, yesterday.

PSA: Twitch 

@TheGibson THIS is the reason why TOTP are not a Real second factor but just Opium for the people.
Only Real second devices or Hardware Keys will protect you. OTP seeda can always leak even without you knowing.

PSA: Twitch 

@thegibson HECKSSAKE and here I thought the 2FA was a safeguard

PSA: Twitch 

@thegibson Also: finally Twitch heard us and is no longer requiring closed-source Authy for 2FA, instead relying on the good old OTP standard. Already stored my keys in Aegis and Bitwarden, for good measure

Sign in to participate in the conversation
hackers.town

A bunch of technomancers in the fediverse. Keep it fairly clean please. This arcology is for all who wash up upon it's digital shore.