Upvote Upvoted 17 Downvote Downvoted
twitch.tv hacked, change your passwords
posted in Off Topic
1
#1
0 Frags +

https://www.reddit.com/r/Twitch/comments/q2gcq2/over_120gb_of_twitch_website_data_has_been_leaked/

https://www.theverge.com/2021/10/6/22712250/twitch-hack-leak-data-streamer-revenue-steam-competitor

https://www.reddit.com/r/Twitch/comments/q2gcq2/over_120gb_of_twitch_website_data_has_been_leaked/

https://www.theverge.com/2021/10/6/22712250/twitch-hack-leak-data-streamer-revenue-steam-competitor
2
#2
3 Frags +

Vapeworld

[i]Vapeworld[/i]
3
#3
13 Frags +

https://pastebin.com/LjmaPNam
ctrl f ppl u wanna see
looks like our boy b4nny grossed 80k on twitch circa 2 years ago

https://pastebin.com/LjmaPNam
ctrl f ppl u wanna see
looks like our boy b4nny grossed 80k on twitch circa 2 years ago
4
#4
-7 Frags +

people are really just getting shafted by taxes after receiving this payout

people are really just getting shafted by taxes after receiving this payout
5
#5
-8 Frags +

i wonder how fast xQc's account got snaked and i wonder if anyone was able to do any damage with it

i wonder how fast xQc's account got snaked and i wonder if anyone was able to do any damage with it
6
#6
1 Frags +

xqc prob had 2fa

xqc prob had 2fa
7
#7
10 Frags +
Reerohttps://pastebin.com/LjmaPNam
ctrl f ppl u wanna see
looks like our boy b4nny grossed 80k on twitch circa 2 years ago

pastebin is 404'd

Also, I thought he would be making way less

[quote=Reero]https://pastebin.com/LjmaPNam
ctrl f ppl u wanna see
looks like our boy b4nny grossed 80k on twitch circa 2 years ago[/quote]

pastebin is 404'd

Also, I thought he would be making way less
8
#8
0 Frags +

Is the earnings before or after taxes!

Is the earnings before or after taxes!
9
#9
13 Frags +

I assume before

I assume before
10
#10
9 Frags +

i wonder if pastebin staff actually took that down. i have never seen that before

didn't even know pastebin had staff

i wonder if pastebin staff actually took that down. i have never seen that before

didn't even know pastebin [i]had[/i] staff
11
#11
6 Frags +
glassi wonder if pastebin staff actually took that down. i have never seen that before

didn't even know pastebin had staff

Wouldn't be surprised. Pastebin have been super lame as of recent, got rid of the search function and actively went out of their way to remove pastebins that leak stuff like this

[quote=glass]i wonder if pastebin staff actually took that down. i have never seen that before

didn't even know pastebin [i]had[/i] staff[/quote]
Wouldn't be surprised. Pastebin have been super lame as of recent, got rid of the search function and actively went out of their way to remove pastebins that leak stuff like this
12
#12
6 Frags +

https://web.archive.org/web/20211006143529/https://pastebin.com/LjmaPNam
this works if you’re curious

https://web.archive.org/web/20211006143529/https://pastebin.com/LjmaPNam
this works if you’re curious
13
#13
15 Frags +

https://www.twitchearnings.com/ better link. It's from aug 2019 till october 2021, so b4nny's 80k make more sense

https://www.twitchearnings.com/ better link. It's from aug 2019 till october 2021, so b4nny's 80k make more sense
14
#14
16 Frags +

The leak does not include money from donations, merch, youtube videos, sponorships etc. So in reality a lot of these streamers are even wealthier than the stats suggest.

The leak does not include money from donations, merch, youtube videos, sponorships etc. So in reality a lot of these streamers are even wealthier than the stats suggest.
15
#15
12 Frags +

who the fuck is subbing to esl_csgo

who the fuck is subbing to esl_csgo
16
#16
0 Frags +

quit pocket watchin smh

quit pocket watchin smh
17
#17
31 Frags +
Hunter_2_0who the fuck is subbing to esl_csgo

https://pbs.twimg.com/media/DsQlinlXQAABlQN.png

[quote=Hunter_2_0]who the fuck is subbing to esl_csgo[/quote]
[img]https://pbs.twimg.com/media/DsQlinlXQAABlQN.png[/img]
18
#18
0 Frags +

Now let’s see how much bank he made from b4nny stickers

Now let’s see how much bank he made from b4nny stickers
19
#19
11 Frags +
Hunter_2_0who the fuck is subbing to esl_csgo

It's 99.9% ad revenue I guess, additionally they also have ads running almost all of the time when doing reruns and people still watch those too

[quote=Hunter_2_0]who the fuck is subbing to esl_csgo[/quote]
It's 99.9% ad revenue I guess, additionally they also have ads running almost all of the time when doing reruns and people still watch those too
20
#20
EssentialsTF
13 Frags +
BloodisHunter_2_0who the fuck is subbing to esl_csgoIt's 99.9% ad revenue I guess, additionally they also have ads running almost all of the time when doing reruns and people still watch those too

Twitch ads are far more lucrative than youtube ads

[quote=Bloodis][quote=Hunter_2_0]who the fuck is subbing to esl_csgo[/quote]
It's 99.9% ad revenue I guess, additionally they also have ads running almost all of the time when doing reruns and people still watch those too[/quote]
Twitch ads are far more lucrative than youtube ads
21
#21
6 Frags +
RoLxqc prob had 2fa

TOTP will not protect your account in this situation, the hashed password would
TOTP relies on a secret key to be shared between the authenticator (the app on your phone) and the validator (the twitch servers), both use that key to run the algorithm (described in RFC 4226 and 6238), because of that, the secret key must be accessible in some lossless way by the twitch servers, and in the case of a compromise, you have to assume that this secret key has been compromised. Hashed passwords remain safe for a finite period of time after a compromise because the actual password isn't stored anywhere, and the only way to get in is to crack it using a large amount of computer power.

Hunter_2_0who the fuck is subbing to esl_csgo
field                       sum
ad_share_gross              2488615.89
sub_share_gross             25591.69
bits_share_gross            3923.25
bits_developer_share_gross  0
bits_extension_share_gross  69.96
prime_sub_share_gross       48650.59
bit_share_ad_gross          25.56
fuel_rev_gross              0
bb_rev_gross                0
[quote=RoL]xqc prob had 2fa[/quote]
TOTP will not protect your account in this situation, the hashed password would
TOTP relies on a secret key to be shared between the authenticator (the app on your phone) and the validator (the twitch servers), both use that key to run the algorithm (described in RFC 4226 and 6238), because of that, the secret key must be accessible in some lossless way by the twitch servers, and in the case of a compromise, you have to assume that this secret key has been compromised. Hashed passwords remain safe [b]for a finite period of time[/b] after a compromise because the actual password isn't stored anywhere, and the only way to get in is to crack it using a large amount of computer power.

[quote=Hunter_2_0]who the fuck is subbing to esl_csgo[/quote]
[code]
field sum
ad_share_gross 2488615.89
sub_share_gross 25591.69
bits_share_gross 3923.25
bits_developer_share_gross 0
bits_extension_share_gross 69.96
prime_sub_share_gross 48650.59
bit_share_ad_gross 25.56
fuel_rev_gross 0
bb_rev_gross 0
[/code]
22
#22
2 Frags +
twiikuuHashed passwords remain safe for a finite period of time after a compromise because the actual password isn't stored anywhere, and the only way to get in is to crack it using a large amount of computer power.

https://twitter.com/cybertillie/status/1445839064733790208

Show Content
lol
[quote=twiikuu]Hashed passwords remain safe [b]for a finite period of time[/b] after a compromise because the actual password isn't stored anywhere, and the only way to get in is to crack it using a large amount of computer power.
[/quote]

https://twitter.com/cybertillie/status/1445839064733790208

[spoiler]lol[/spoiler]
23
#23
serveme.tf
5 Frags +
negasoratwiikuuHashed passwords remain safe for a finite period of time after a compromise because the actual password isn't stored anywhere, and the only way to get in is to crack it using a large amount of computer power.
https://twitter.com/cybertillie/status/1445839064733790208
Show Content
lol

All this code shows is that all the passwords are stored with bcrypt now. Before using bcrypt they used SHA1 hashes with a salt pepper :(. Those are relatively easy to crack because SHA1 hashing is very very fast.

Sadly, they seemed to have used a single salt (so actually a pepper) for all passwords:

// SHA1Salt is the single salt used for all pre-BCrypt passwords
SHA1Salt = "theleakedcodecontainsthepepper"
// PasswordCutoffTime is the last time we reset passwords. Passwords older than this timestamp must be reset
PasswordCutoffTime = 1427025600 // March 22, 2015, never forget

If you logged in since March 2015, you'll have reset your password and it should no longer be stored as salted SHA1.

If a database ever leaks with the salted SHA1s still in them, it would be trivial to crack all those old passwords.

[quote=negasora][quote=twiikuu]Hashed passwords remain safe [b]for a finite period of time[/b] after a compromise because the actual password isn't stored anywhere, and the only way to get in is to crack it using a large amount of computer power.
[/quote]

https://twitter.com/cybertillie/status/1445839064733790208

[spoiler]lol[/spoiler][/quote]

All this code shows is that all the passwords are stored with bcrypt now. Before using bcrypt they used SHA1 hashes with a [s]salt[/s] pepper :(. Those are relatively easy to crack because SHA1 hashing is very very fast.

Sadly, they seemed to have used a single salt (so actually a pepper) for all passwords:
[code]// SHA1Salt is the single salt used for all pre-BCrypt passwords
SHA1Salt = "theleakedcodecontainsthepepper"
// PasswordCutoffTime is the last time we reset passwords. Passwords older than this timestamp must be reset
PasswordCutoffTime = 1427025600 // March 22, 2015, never forget[/code]

If you logged in since March 2015, you'll have reset your password and it should no longer be stored as salted SHA1.

If a database ever leaks with the salted SHA1s still in them, it would be trivial to crack all those old passwords.
Please sign in through STEAM to post a comment.