Twitch User Security Guide, Pt. I:

You’re gonna have to change your dog’s name.

Securing yourself on Twitch is a simple process which anyone can successfully perform, yet most choose to skip these important steps. For some it’s a “I’ll get to it later” situation that never happens, but for others they simply don’t understand what’s involved.

Who is the target: Twitch, or YOU?

As live streaming becomes more popular, nefarious hackers are taking notice and targeting live streaming platforms like Twitch, Caffeine, Mixer and others. Overall the security of the streaming platform (i.e. Twitch itself) isn’t the target of these hackers, but rather the users. That’s right: YOU. Malicious hackers are taking advantage of users that have had their passwords stolen on other, sometimes completely unrelated platforms (email, websites, etc.) and checking to see if these same passwords were used elsewhere, such as Twitch. Users who never set up 2-Factor Authentication on their accounts are now suffering the consequences by losing access, or worse yet: having a stranger secretly spying on all their private activity.

In the last month alone over 20 posts on /r/twitch have been made about stolen accounts. Many of these accounts are people that have never enabled 2-Factor Authentication, and have used weak passwords that were stolen from other websites.

Take the tiny amount of time necessary to secure yourself, it’s a lot simpler than you might think. Let’s get started!

2-Factor Authentication

Twitch has protection available for its users in the form of “2-Factor Authentication,” as we mentioned above. By 2019, you’ve definitely used this security measure elsewhere, such as your bank’s website or perhaps work email. It’s the thing which asks you to enter a 4–8 digit code you retrieve elsewhere as a means of confirming you are allowed to access the protected account. Many services now offer this security option, and you should absolutely be using it whenever possible. It is an EXTREMELY devastating defense against bad guys.

However, Twitch (like many services) does not FORCE all users to take advantage of this protection. Currently Twitch only requires 2-Factor Authentication for its “Affiliate” and “Partner” accounts. The rest of the accounts on Twitch (regular users / viewers) don’t have this same requirement. However, it’s definitely available for ALL users!

For many they see 2-Factor as an inconvenience that offers annoyance and benefit. Most users think they are not a target for attack, and so believe the chances of it happening to them isn’t worth the additional time to enable and use 2-Factor. Others don’t believe they have anything worth protecting and only use it to chat, “so what’s the point of enabling it?”

The truth is no matter what kind of account you have on Twitch, it has value to SOMEONE. Many nefarious scenarios rely on simply having a Twitch account that isn’t brand new in order to pull off the scam. That’s right, even if you think there’s nothing worthwhile in your Twitch account, the mere fact that your account exists is what makes it valuable.

We won’t get into step-by-step setup for 2-Factor here, as Twitch already made a nice article on explaining how it all works:

https://blog.twitch.tv/two-factor-authentication-now-available-on-your-twitch-account-b03300862ba7.

Come back once you have that squared away, as there is even more you must do to stay safe and secure on Twitch.

You’ll notice Twitch has 2 options for “2FA:” Authy, or SMS (“text message”), and many users do not like Authy and are asking for a different option when it comes to 2-Factor on Twitch. While we agree there should be more options, it’s no excuse to not enable it. One more app doesn’t hurt you, and Authy can actually be used for NEARLY EVERY other 2FA service you may have! If you absolutely refuse to use Authy, then SMS is a good second bet, though it carries slightly more security risk in scenarios we won’t delve into here. PLEASE chose one of these two options; there is no excuse for not using 2FA anymore.

One final note about 2FA on Twitch: We believe they should follow a similar technique that Apple uses. In the last few years Apple has been adding emojis to their software updates as a way to entice users to update. Twitch could offer a emote that is only available while you have 2-Factor enabled and maybe even add additional ones as users complete yearly security reviews. Until then, we must settle for the satisfaction of knowing we’re more secure.

Moving on. . .

Secure Passwords

We know you know you can hardly go a week anymore without hearing about this somewhere, but let’s get a big elephant in the room out of the way: having a secure password doesn’t have to mean having a password you can’t remember. In fact, there are logins for which having a password you can’t remember is dangerous, such as:

  • Your computer
  • Bank
  • Important Email
  • And of course, your password manager

So how the heck do we create a secure password that isn’t a jumbled mash of characters that we’ll never remember? Try using a sentence! “I love my 3 cats” (with the quotes) is a great, secure password that is easy to remember, especially if you have 3 cats that don’t suck. It has upper and lowercase characters, a number, and “special” characters (the quotes).

Many people have multiple passwords they use on various sites, but they might also have a single password for multiple sites that aren’t really important, and a “stronger” one for things like their bank. While that is certainly better than having the same password on every site, as we mentioned it can still leave you open to attackers gaining access to your accounts from sites that have nothing to do with each other.

In this day and age password breaches are a common occurrence. Attackers are perpetually running “bots” against every login on the internet, trying new usernames and passwords they discover and share. Nothing is safe. A very recent list of stolen (or guessed) credentials was just exposed, which contained over 773 million unique email addresses AND PASSWORDS. This was called “Collection #1”, with rumors of up to 7 collections being out there. Multiple users are already reporting Minecraft, PayPal, Ubisoft, Uber and other accounts being broken into and stolen because they used passwords from this stolen list on multiple platforms. Using the same password on multiple, completely unrelated sites (i.e. Twitch & your bank) could easily end with your accounts being compromised on BOTH. That’s right, if Twitch is ever breached, your bank account could be emptied (especially if you didn’t use 2FA)!

The best piece of advice on secure passwords I can give is: use a password manager. Multiple solutions exist with each having their own advantages. 1Password, LastPass, Google Passwords, KeePass, etc. are all GREAT. Do some research and pick the one that seems best for you. If that seems daunting, 1Password and LastPass are the most common, so at least check those out. Also make sure the password manager site has a form of 2FA, and enable that.

Even with a password manager it is still recommended that you update your passwords every so often. Most password managers have a way to do that now automatically which is nice, but at the very least be sure to manually change your master passwords once a year.

Also be sure you don’t fall for the XKDC “Correct Horse Battery Staple” password suggestion that is still making it’s rounds on The internet. This suggestion was never really a great idea, but due to the comics popularity it gets shared quite a bit. If you want the technical details on why it’s not great, check out this blog post by Bruce Schneier.

Payment Protection

There are two forms of payment protection that I will talk about in this section. One is for the users making payments on Twitch, and the other will be about streamers receiving payments.

Viewers:

If you are a viewer on Twitch then you may have used PayPal or a Credit Card at some point to subscribe to a streamer, or maybe you bought some Twitch Bits. Most users will keep whatever payment process they used saved on the site to make it easier for next time. We understand it’s really convenient as it and makes the process easier next time you want to subscribe or buy Bits. While not storing this info is obviously the most secure option, there are still ways you can utilize this feature and still remain relatively secure.

If you have PayPal, be sure to have 2FA enabled on the PayPal side so that you have to enter the code when making a purchase. This might sound like a pain, but it’s nothing compared to trying to dispute 25+ $24.99 subs because your account got broken into.

If you’re using a debit card instead of a credit card. Just stop. I have no other suggestion there. The main reason is that when you use a credit card, the US has laws in place to protect you from being responsible, which makes disputing the invalid charges MUCH easier. If your debit card has thousands of dollars of charges on it, then it’s your money and your bank can end up taking 90 days or more investigating, and may never return your money, instead telling you to try suing Twitch (good luck).

If you can’t get a credit card or want an alternative solution, then a great solutions is to use something like Privacy.com. You can create custom unique debit and credit cards that have can be locked to a merchant and also have unique spend limits locked to them. For example: if you only plan to be subbed to 1 streamer at a time, you can limit the amount the card can be charged to $5 for the month. So even if someone gained access to your account or stole this credit card number from Twitch directly, they wouldn’t be able to spend more than $5 a month, so they’d likely throw the number out and move on. You can also easily update these amounts and other settings with their app. The author of this article personally use this service for multiple sites.

Streamers:

Now if you’re a streamer you might not be worried so much about the above (though you likely still sub to support your friends), but instead things like personal privacy and chargebacks on donations are of a larger concern. The common “this donation is non-refundable” thing we see everyone placing in the panels under their streams does nothing to actually protect them from chargebacks; at best it tries to deter people from attempting them. StreamElements and StreamLabs both have some form of chargeback protections so using their services is a good option for protection. As for your personal privacy, you’ll want to make sure you use a business account to not leak your personal name or other information.

Another option is enabling CryptoCurrency donations which have NO way to do chargebacks. We created a service around 1 year ago called 1UpCoin, which makes it simple to connect your Coinbase account to a donation page on Twitch, and even get alerts for donations. We made sure it’s extremely easy to set up on your stream so that everyone, no matter how non-technical, could quickly begin using it to ensure their income and privacy. For most, it’s very easy to accept CryptoCurrency donations and then convert to actual cash. While it does create an extra step, it adds a whole lot for security.

That’s another big benefit on CryptoCurrency donations over things like PayPal: even with the chargeback protection and business account, no amount of your information is ever shared with the donator. It’s a complete one-way street.

Is that it?

Overall? Yes. Lots of words, but 3 easy precautions to prevent your account from getting compromised, and your money stolen. While there is no such thing as “100% secure” use bear attacks as your guide: you just need to not be the slowest person in the group. In the security realm, you just have to be more secure than the other guy. The hackers will abandon you for the target that takes far less work to get into.

I could however go into many more details of 2-Factor, password managers, payment protection and could even dive into tips specifically for streamers. This was meant to be a quick overview of why and how you can secure your account and give you a quick understanding of what’s at stake.

Be sure to check out Part 2 of this article by Johnny Xmas.

Jaku is a professional security researcher, Partnered Twitch streamer and CEO of https://warp.world . You can follow find him on Twitch or Twitter as jaku.