Look, I’m not going to get into whether you should be using Twitch or not, but the reality is many people do. I’ve been seeing increasing calls, particularly on Discord servers, to change your Twitch password, and on any site you use the same password on.
Those calls mean well I’m sure, but is it actually necessary? I’m going to assume that Twitch implements password hashing and salting correctly (though, with the source code leaked you could presumably just check), so realistically even though the authentication database was leaked, there would be no way for an attacker to get access to your real password, right? Isn’t this the exact situation password hashes are meant to protect against? I feel like the most we’d have to worry about is login tokens for apps and session cookies, which can be pretty easily mitigated from the server side by invalidating them all.
This is not a good idea. Many many sites including major companies have terrible security and don’t spend the slightest effort in protecting user data. They simply face no consequences over it. Countless data breaches show over and over again how bad sensitive information like passwords are protected. Many sites still use ridiculously weak hashing procedures like unsalted MD5 or even store passwords in plaintext. The way many sites handle passwords not only shows that their users’ security is of absolutely no priority to them but can often only be explained with enormous incompetence. Password guidelines are often so ridiculously bad to the point where it would be a lot easier to just do it right, yet someone explicitly programed nonsensical limitations for the passwords like lenght limits, limited character sets, the necessity to start with a letter, case insensitive passwords or whatever idiocy they can think of.
Never trust a site to secure your data. They most likely won’t. Also don’t trust a companie’s report on a breach. Breaches are often kept secrete until there is no way to hide it anymore. But even then companies usually play it down and admit only to what they really cannot hide. The number and extent of known breaches is already disastrous, but there certainly is a lot of unknown breached data that makes it even worse.
We have to assume the Twitch leak is worse than they admit. The attackers might have had access to much more than we know, perhaps they were able to intercept passwords in plaintext. We also have to assume Twitch did not properly secure the saved passwords. Acting otherwise would be foolish and insecure.
Be better safe than sorry and just hit the password generate button in your password manager. If you used the same password on other sites those should be changed regardless.
And of course if your password is too weak no hashing can protect it from being cracked.