Look, I’m not going to get into whether you should be using Twitch or not, but the reality is many people do. I’ve been seeing increasing calls, particularly on Discord servers, to change your Twitch password, and on any site you use the same password on.

Those calls mean well I’m sure, but is it actually necessary? I’m going to assume that Twitch implements password hashing and salting correctly (though, with the source code leaked you could presumably just check), so realistically even though the authentication database was leaked, there would be no way for an attacker to get access to your real password, right? Isn’t this the exact situation password hashes are meant to protect against? I feel like the most we’d have to worry about is login tokens for apps and session cookies, which can be pretty easily mitigated from the server side by invalidating them all.