Look, I’m not going to get into whether you should be using Twitch or not, but the reality is many people do. I’ve been seeing increasing calls, particularly on Discord servers, to change your Twitch password, and on any site you use the same password on.
Those calls mean well I’m sure, but is it actually necessary? I’m going to assume that Twitch implements password hashing and salting correctly (though, with the source code leaked you could presumably just check), so realistically even though the authentication database was leaked, there would be no way for an attacker to get access to your real password, right? Isn’t this the exact situation password hashes are meant to protect against? I feel like the most we’d have to worry about is login tokens for apps and session cookies, which can be pretty easily mitigated from the server side by invalidating them all.
In my view I think its a good idea to change password and use one that you don’t use across any other website.
I prefer to randomly generate unique 16-64 character passwords (length depends on how stupid a website’s password restrictions are, some have small maximum lengths or other ridiculous requirements) then store those in an encrypted zip with a lengthy master password (that’s not written down anywhere or used anywhere else) and keep that zip on a couple USBs (always good to have redundant backups), and even then I don’t directly label what they’re used for, I have keywords that only I’d recognize that let me know what they’re used for.