Board 8 > Anyone else's Twitch account get stolen?

(+) Yeah! (+)

It's been a few days with no response to my support ticket. I fortunately don't have a credit card on there but it is connected to Amazon.
---

Don't reuse passwords

So I've heard, thanks. I don't know how I'm supposed to remember a completely unique password for every website though. Could start using randomly-generated ones but then I won't be able to enter them from memory at all.
---

Reg's follow-up response will be "use a password manager"
---

It doesn't seem all that secure to me to put all my passwords behind one login, though. Maybe the password managers are very secure, but it's hard to trust that.
---

I could never work out if password managers were a good idea or not simply because if someone got into yours you would be fucked

someone did get into my Twitch account a few days ago, but they didn't do anything with it so I just changed my password and set up 2fa so it doesn't happen again
---

At least I can safely say that the password on my Twitch account should never be used again, but I don't think I've registered with it anytime recently anyway.
---

paperwarior posted...

It doesn't seem all that secure to me to put all my passwords behind one login, though. Maybe the password managers are very secure, but it's hard to trust that.

I actually agree
---

Now I know to activate 2FA ASAP when I start getting those notifications. That at least should be hard to fake.
---

I have all of my passwords written down on a notebook
---

That trades off in-person security for Internet security, I guess.
---

I'm not expert on this or anything but I feel like having a bunch of passwords isn't hard and if it is you're probably over complicating it. Like realistically to be reasonably secure you only need a small handful of core passwords, then you just need to theme them in some way where they're not literally identical but similar enough that it's not a strain to remember them. Like for instance you could make your Twitter password TweetOfTheElderGods4$ and your GameFAQs password FAQsOfTheElderGames!8.

If the person knows your style and other accounts you have there's a slight risk, but it's probably more secure than writing them down or using a password manager I think.

Of course you can combine the two approaches too. If you've got a pattern memorized you can write down the variations somewhere without actually writing the whole password there so someone would need to have compromised both for there to be a lot of risk. Twitter you could just put Eldest Tweet Gods 4$ and GameFAQs you could put Eldest FAQs Games !8
---

paperwarior posted...

That trades off in-person security for Internet security, I guess.

Yea but you can have it hidden

and as long as you don't blab about it like an idiot to anyone, no one will know to look for it
---

Yep mine got hacked but luckily I was able to still login through Facebook authentication. Apparently the twitch app on Samsung TVs wasn't official and it was actually a Russian app where they were taking account info. The app has been removed from TVs but I'm assuming that's where most of the hacking came from. How it even existed for as long as it did is absolutely crazy.

I put in a support ticket on April 15th and it JUST got answered yesterday. They reversed the email on my account so I was able to update my password and add TFA protection.
---

Most password managers make you identify yourself through email or text or so on if you use them on a computer you haven't used before, so somebody would have to have both the password to your email/your phone/whatever and the password to the manager to get in.
---

paperwarior posted...

It doesn't seem all that secure to me to put all my passwords behind one login, though. Maybe the password managers are very secure, but it's hard to trust that.

There are password managers that aren't run by somebody else/don't use cloud storage (Unless you combine them with something like Dropbox). For example, Keepass (https://keepass.info/ and the one I've been using for about ten years) creates a local file that only goes onto the internet if you want it to.

That said,
skullbone posted...

Yep mine got hacked but luckily I was able to still login through Facebook authentication. Apparently the twitch app on Samsung TVs wasn't official and it was actually a Russian app where they were taking account info. The app has been removed from TVs but I'm assuming that's where most of the hacking came from. How it even existed for as long as it did is absolutely crazy.

I hadn't heard this was the issue (The times I have heard of twitch accounts specifically getting stolen recently were all cases of reused passwords from other hacks), but in this case unique passwords and password managers really wouldn't save you. So if you got yours stolen through this, uh, "oops".

But yes, everybody should be using password managers of some sort, and even if this was a well-executed phishing case, it still highlights the dangers of password reuse. A physical notebook is ok when combined with some way to generate decently strong passwords, but it obviously has its own issues w.r.t physical security. Also, yes, 2FA on anything and everything that supports it. That's possibly even more important because it's what would've saved you here.

Keepass sounds like my kind of thing, actually. But I'm pretty sure here it was old data breaches. I have some sites in my history that have been compromised, and that may have been an old password set on Twitch because I tend to vary between them, rather than always making a new one, especially with the annoyance of being required to update to one I haven't used.
---

Arti posted...

someone did get into my Twitch account a few days ago, but they didn't do anything with it so I just changed my password and set up 2fa so it doesn't happen again

Had this exact thing happen to me and I responded in the same way.

I actually got an email from Twitch about the sign in and within 5 minutes had changed my password and set up 2FA.
---

Was going to recommend keepass but Reg beat me to it.
---

Am i supposed to read that as key pass or keep ass

Is it keeping my ass safe

Or keeping someone else's ass for me
---

Peace___Frog posted...

Am i supposed to read that as key pass or keep ass

Is it keeping my ass safe

Or keeping someone else's ass for me

keepass.info posted...

KeePass Password Safe

The capitalization speaks for itself.

paperwarior posted...

It's been a few days with no response to my support ticket. I fortunately don't have a credit card on there but it is connected to Amazon.

I had this happen to me a few weeks ago. They logged in from Egypt. I instantly changed my password and made it 2 step auth. They used my Amazon prime sub on some dude I don't know.
---

Oh hey Corrik's back

Hi Corrik
---

Reg posted...

The capitalization speaks for itself.

Obviously i was far too lazy to go to the site
---

That's why I quoted it for you...

Got logged in from Thailand last night.

They didn't change my password though
---