Where to report API Abuse

Someone’s been coming to my stream trying to get me hit a link which leads to their oauth2 signup for their twitch app.

I’m a developer so it’s not something I’m going to fall for, but, they kept following up with accounts they had compromised.

Where do I report this? I saved the two clientIDs they used below as well as the account s/n’s of the people they hacked into (one was a partnered streamer!) I’ll leave the clientIDs below for the community here, but main question:

Where do I report this? All current twitch reporting tools are for broadcasters or chatters - I don’t really have any information on whom the person may be by screen name seeing as they are using compromised accounts.

Anyway any advice would be nice but here are the offending clientIDs:

  • th6if2qqasz8koyki4mluwvxekqoww
  • fo72rigvohp66dd2681a4y9upuhynb

It sounds like you’re talking about the bot that’s impersonating Nightbot Authentication. Twitch are already aware of it.

And just for clarification, no “hacking” is involved. They used social engineering to fool users into giving them an OAuth token with the scope to connect to chat as that users account.

At the very least this should be a good learning experience for anyone who fell for it. People have learned by now to never give out their login details, but are so willing to authorise apps that ask for far over-reaching scopes, and still have old/unused/defunct apps still connected that are a potential security risk.

Honestly I’m surprised it’s taken so long for something like this to become the issue that it currently it. Anyone here remember the days of users trying to impersonate Q or Quakenet, or NickServ on other networks?


Look when I type my password it shows as ********** to you it’s kinda cool. Try yours…

1 Like

I remember those of us at DALnet trying to minimize that kind of thing, but such measures still depend on users not being gullible. That’ll be the day…

Correct they didn’t hack, using that term somewhat colloquially here.

I’d like for there to be a way to shut ppl like this down though; at least with the client ID and some reporting mechanism.

My mod’s initial reaction was to ban the messengers but I pointed out they could be compromised accounts.

The late 90s Quake days were fun but these days there’re a ton more normies, as well as ways to use phishing for more diverse reasons than just the Luls.

Anyway if there’s no official thing on the twitch side, I get it they’re not that big of a company overall and can’t chase down everything, but IMO it’d be nice if there were a more direct way to block out bad actors.

While Twitch investigate the problem and deal with it, the best thing you can do is report the affected users and blacklist the URL so it wont show up in chat in the first place.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.