Discord.io got hacked!
Vložit
- čas přidán 19. 05. 2024
- Discord.io is NOT Discord.gg / Discord.com! But this hack / data breach does affect Discord users that may have used Discord.io (yeah it's confusing)
Discord.io, a website like top.gg and disboard.org that allows you to advertise your server as well as create free vanity invite links, got breached. 760,000 users had their information uploaded to the . This information includes emails, Discord IDs, salted and hashed passwords, and finally your billing information if the conditions are right.
LINKS
-----------------------------------------------------------------------------
KeePass
keepass.info/
Bitwarden
bitwarden.com/
Proton Pass
proton.me/pass
iCloud+
www.apple.com/ca/icloud/
CloudFlare Email Routing
www.cloudflare.com/developer-...
SOCIALS
-----------------------------------------------------------------------------
Discord Server
/ discord
Twitter
/ notexttospeech
TIMESTAMPS
-----------------------------------------------------------------------------
00:00 - 1. What is Discord.io?
00:49 - 2. What information was exposed?
02:50 - 3. What should you do?
04:40 - 4. How to stay safe(r) from databreaches
06:57 - 5. How stupid is this? - Věda a technologie
One reason Discord.io could be holding onto old billing data is for auditing reasons. For example a bot dev told me they are required by law to keep user billing details for 5 years.
Also, reversing your password from a salted and hashed password is very difficult even if you have a simple password. However I would still change passwords because it's a good practice. Also I forgot to point out that if you use the same password and your email is in the breach, someone could check if your password has been exposed in a different data breach. If it has, they could try to guess your password and get into your other accounts.
crazy
this is the problem with trusting websites nowadays it's just hard
:(
This is why i have trust issues.
Welcome to the internet. Nowhere is safe.
They did well at least to take action, more than most mega corporations.
As far as i can see, they have done it completely right.
They have handled this issue over a thousand times better than many megacorps did.
@@blinking_dodothis is because they aren't a mega corporation
@@poopmasteryeah, don’t get why they calling discord a mega corp
Alphabet (Google‘s parent company), Apple, Microsoft, Amazon are mega corps, because they are worth trillions and have several subsidiaries and large market shares
mega corporations do the same thing? im all for bashing the executives but this is just not true
He hates discord users, so he became the ultimate discord user.
LMFAOOO
305 likes and only 1 reply?!lemme fix that
also, yeah that's really funny. the irony
Hahaha, this combined with discord’s dumb little “Free boosts” thing is gonna cause alts to be wayyy too easy to get lol
Hopefully the type of people who used that website are the type of people smart enough to not fall for that. Hopefully.
Hahaha, you fool. I HAVE 700 ALTERNATE ACCOUNTS!!! 😈
/jk
@@AndriuxDevme after I figured out to put a + at the end of my email then the account name 😂
@@AndriuxDev eeerm its actually 70
Honestly bro you deserve an award for informing us EVERY SINGLE TIME
@@enzoshorts. Says the guy who makes fake YT Shorts content
@@enzoshorts.why does bro comment shit on every one of his videos
bro you have no rights your yt channel is lit fake Roblox vids please stfu and go back to adopt me
@@enzoshorts. lmao yt shorts creator. irrelevant moment
@@enzoshorts. Not even the checkmark will save you from invalidating your opinion!
@@enzoshorts. Shorts creator = brainrotten individual
I saw "data breach" and felt worried, but as soon he explained discord,io I realized this has nothing to do with me because I don't use 3rd party discord stuff lol. Thanks for always informing us about these things (and general safety tips, like the password thing).
in his attempt to say he hated discord, he sounded like he came straight from it 😟
Well, it's like they said: *That little boy... is in BIG trouble.*
He sounded more like a twitter user
Generally your data might already have been sold (passwords n stuff) so its best to check a specific site that lists data breaches on websites and change passwords accordingly
I should probably check the site because 760K users mean more likely than not they have my info
I'd recommend checking "have I been pwned" as soon as they get a copy of the data
@@officialromanhours Oh I will
as far as i am aware i don't think there are sites that list databreaches with the passwords
@@1boo Even then, most users won't get their passwords leaked during this since most are newer users
Btw, for hashed passwords, you can't "reverse engineer" it quite easily as it requires the original password (didn't leak) and salt (that leaked) to check if the hashed password is the same as the stored one. So don't worry about your password.
I would still recommend changing the password tho
it can still be bruteforced
@@zipf will take over 10000 years depending on how strong the victim's password is
@@wedoalittletrolling723most people have a weak password
Yup, they can't reverse it, that's why it is used
I really feel like that person is in their early 20's going into 18+ servers and chats and complaining about it, then subsequently doing this. I feel like as much as he says he hates discord and the people on it, he used it at some point to get angry at users and create a motive to do this breach.
Man you did an amazing job explaining exactly what happened, what everything means. I especially liked your explanation on the salted and hashed passwords. Thank you for this. Great work!
Just in general DONT use the same password on multiple sites, except if you really don't care about the account I guess. There is nothing assuring you the person running the website doesn't simply sell your password.
Petty people doing petty things, I wish we had some way to find the dudes info and get him arrested for this stuff.
Just send a pipebomb where they host that database breach website
@@sodicious well lol breachforums is another honeypot anyways
@@pattyguy Since Pom was arrested it became one.
@@filipetrujeira3359quite surprised people here know about pom
@@filipetrujeira3359we dont know 100% if it is. Its very likely tho.
with salted and hashed passwords it's basically impossible to reverse engineer it. Though what hackers would do it try to brute force it, basically if they have the salt and know the hashing algorithm they can try the most common passwords or combinations and feed it through the hashing algorithm then compare it with the hash produced. The salt is usually stored appended or prepended to the hash so getting the salt won't be difficult. If have a very strong password you shouldn't need to worry much about your password being compromised. Because if your password isn't in a word list or isn't common or short they will have to try every combination eg aa, ab, ac, etc and this quickly adds up. However you should still change it just in case. Especially if you're using the same password on multiple websites.
I'm glad I've been juggling 70 different emails for the past 10 years (yes I frequently forget them all the time).
You have 70 alternative accounts
@@utopes I've been on the internet for a while.
Do you make robots by any chance?
I barely wrote on a notepad how many sites ive registerd on... mm ive figured a way for unique passwords not to be wriutten down or forgotten but dont wanna share..well maybe on stanimir borov1 my first utube channel i might release som video of ideas but not sure yet@@utopes
Thank you for keeping us safe. Much appreciated.
Use password manager, use 2FA, use email aliases. take security measures. like that's only things you can do.
most people stops at pw manager and 2FA, but this is the very reason you want to use email alias, so you don't have to worry about anything and just shut that one off.
how do you keep beeing entertaining while teaching us stuff boa?
GG on 500k you are amazing :))
The aliasing service that proton uses (and owns) is simplelogin. Just for those who are curious. 6:15
An issue with iCloud+ hide my email is that you can’t email support from that alias email. This might make things harder to manage if you’re trying to contact discord support or whatever support you might need to email using that alias you create. 6:34
No Text To Speech is the best channel about discord I've ever seen, thanks!
Yes:)
Yes!
Beluga is better
@@Nx-tagames absolutely not the same kind of content tho
@@Nx-tagameshow?
The hashing algorithm is really important to determine if something is safe or not.
You know it's forgettable when all the top comments are generic "always a good day when ntts uploads"
Phew.. i felt like im about to lose all of my accounts but ive been wrong. thanks for telling us!
Note for billing adresses, country dependant, a company has to keep all its money transactions for 5+ years.
Yeah in my country it is 7 years
always a good day when ntts uploads
lmao
how do these shitty comments still get likes
what in the spam bot is this message
alswyahsn agopsdkda day wehn ntns ahuopad;ls
Agree
I usually use long and complex passwords for every app/website and different emails. I suggest you use similar characters such as L and i "lI" or O0 ECT. And I tend to make my passwords stupidly long. We're talking at least-
What?
10 or 15 characters?
And maybe even 40 for some.
With a password that's long and has a lot of characters that look alike, 2FA, And a different Email for EVERYTHING. That's about as secure as you can get to my knowledge.
Of course me having anxiety I still question how Secure my stuff is and keep making my passwords longer and more complex.
Just tried to join a server and it wanted me to add a bot that would join servers for me. Thanks man
Loving these videos!
What is the folder tabs thing you have in your browser? I've seen it in your videos and would love to use it.
It's built into Chome and any Chromium-based browsers (Edge, Opera, Brave, etc.). You can right click any tab and "Add tab to group." You can pick colours and names for them
@@supernovaw39 Thanks, I have been using a chromium browser for like 10 years and somehow I've never realised this
Hash's are generally pretty safe as passwodd storing methods go. Its not impossible to crack, but generally the methodology would be to figure out what the hashing algorithm was, generate a wordlist that might contain the password needed, and hashing each of those passwords using the hashing algorithm and seeing if the hashs match. Salting a hash greatly helps, but people have cracked salted hash's before. Im too new to hacking to know how. Still a good idea to change your password, but also good to know that this is much better than them storing your password in plaintext, aka english
Since salt should be unique to each account, you can't just easily use a precomputed table of hashes of common passwords to look for collisions. This means for each account you wish to crack, you'd have to recalculate hash(guess|salt) for each possible password you want to test for a collision. Modern hashing algorithms have a very low collision rate too.
@@HiHelloHi i think thats a bit too high end language for me lol. this is why i try to do as little as possible with hashes lol
@@Wither_Strike collisions are just when a different password hashes into the same digest (the output of the hash function) as the actual password. That is to say: hash(A) equals hash(B) where A and B are not the same password. This is due to the fact that hashes are compression functions, meaning they condense a number of character to the same length of hash for each input string of letters. A table of hash values is just a means to store the outputs of hashing commonly leaked passwords so that you don't compute them yourself. Salt makes it so you have to re-compute this table
for differenting passwords i wold use an algorithm for the password containing some static elements combined with some variable characters that involve the websites middle 3 characters moved 1 right and 3 down on the qwerty keyboard
on email forwarding anonaddy is pretty good but some companies have started to blacklist using forwarding/relay alias so you might need a backup or 2nd email regardless
there's STILL websites that adopts whitelisting of email domains instead which is bs
just use skiff and be happy
What you're describing is unfortunately a cat-and-mouse game; relays continually create aliases, and the other companies continually hunt them down.
That's why I made a bunch of measures to protect my useless discord account, even two of them.. It's a funny relieving feeling when having so much protection that breaking it would require a ton of efforts even after an exposed password
Like, nobody would even dare (after entering it) to guess a 6 digit key that is re-generated (in other connected authentication app) every 30 seconds to pass through. Pure bliss.
Wish mode people used that more often
Still doesn't mean there isn't a CVE that effects your router and can infect your machine via improper software or another exploit, from there cookie based attacks can be performed, rendering your protections null.
@@dashdashdash_ I'm not an expert but it seems like something rather targeted and what's definitely not going to happen to random weirdo from the internet .
Also what affects router sounds like something that should be quite local to be relevant, proper people could tell better.
Whatever anyways, what I say is to improve common protection of your account, and replying by random "tHaT iS nOt gOiNg tO sAvE yOu as there is " is lame you know.
Though you can of course not use any protection then, if that's what you ultimately tried to say.
@@Check_001 It doesn't have to be targeted, that's why IP grabbers should scare you legitimately despite people saying "your IP isn't private blah blah"; the problem is *who* has your IP address! Also, router firmware updates are not always a thing.
@@erikkonstas Again I hear only .
I don't care about it and you all miss my main point. Use the damn protection, even if it's not going to save you from the airplane crush or end of the world. Unless you want to advocate against *this,* that's 0 worth of argument.
@@Check_001You're really ignoring the danger here, whilst at the same time advocating for having protection measures in place...
Once passkeys are supported in Discord, these scams should be no longer effective.
careful with breachforums, those guys are nuts lol
i clicked on this because i thought i had USED the site before. so glad to know it only affects those who made an account on there. my prayers go out to you poor guys.
5:10 personally I just use the password manager that comes with iCloud, works great on your Apple devices, but there are also extensions for Chrome and Firefox
iCloud+ also lets you do the custom email addresses if you're already using that.
Good on you for using FOSS software like bit warden
just an fyi, a data breach is a case of when and not if. plus, you will only know about it only if the company decides to reveal it. assume that EVERYTHING is breached
I have to wonder what circles this person was running in to think that half of discord is pedocontent... I've used it for several years and not really run into it, meanwhile on reddit, twitter, and facebook, 4chan.. the opposite is true.
Oh buddy, you would be surprised on how much pedo content is in Discord. Not just that, but grooming, zoos, etc. Like just cause you didn't see it doesn't mean it ain't out there.
at this point even discord got hacked in discord
this is the prime reason why i use discord as is because i sure as hell don't want people getting my private info cuz every single time something goes to shit with it
Example?
About the single email for every thing, theres still more nerdiness than cloudflare email routing. Running a selfhosted email server and then creating aliases there (definitely did not do that nope no way ;) )
good to know that i use a different custom vanity link service, and not this one
i didn't get hacked
About email relays I watched a video about that from Thiojoe and there is a feature where you put some special annotation in your existing email to make it. So it's the same email but with a different address. Though I do remember that he said the feature is rarely supported on websites and all you have to do to get the original address is to just remove the annotation so it's pretty easily bypassed
It's by putting a + and any string before the @ in the address. However in my opinion that's only good to counter email marketing/spam.
@@robertplayz9157 indeed, anyone can remove + part and get your normal email with no issues
And it can be ignored (they just remove the +)
@@thatdude9091 telemarketers have many addresses to deal with, and their time for the money is precious to them, so they don't filter or sort, they just send.
@@robertplayz9157 it takes a very simple filter to remove +
Thing is, with a web space and a domain you can get a fully custom invite link for less then 1,50 month
simply reverse engineering a salted and hashed password is some nation state kinda work, not impossible but insanely difficult (if they followed best practices that is lol)
I mean, even if the salt is a constant the hackers would still have a harder time...
the nerd voice at the end THAT was a beautiful performance.
as for password managers... using them is just as big a risk. because now, instead of needing to know one password for each account, they need to know one password... and have not only your account passwords for every site, but every username or login name you use for those sites.
But they would need to get to that password, which is kept by a service specifically made for keeping that one password safe.
Its a lot safer than reusing the same password or using insecure ones.
If you can remember dozens of complex passwords from memory, sure thats safer. But thats just not how things work in reality.
I love it when trash human beings try and claim they are doing something for justice just to cover up their crimes. Like kid is calling everyone on an app a pedophile and thinks he is doing justice by SELLING their data 💀 This guy made 2 wrongs (1: Trying to make bank. 2: Calling an entire user base pedophiles) for 1 wrong (there are indeed SOME pedophiles)
You did a good job with this vid, but 2fa isn’t great if u get sim swapped etc
There are times in my life I'm happy i didn't scoop around stuff like this (my dad's pc survived me trying to download free minecraft over the course of half a decade)
This is why you shouldn't trust these websites
Reminder that if it's on the internet, it's a target. Digital security is all about making it as inconvenient as possible for any attacker. Imagine a bike padlock. You can put 10 padlocks on it which would make most thieves either go after something else or not at all. But if someone really wants your bike, they'll bring a boltcutter.
@@Lexipherous that is true, for example if someone really really hates you, they'll try to shut down anything you own by either hacking it or blackmailing you. but there is other ways too.
I hate Discord's stupid auto generated links though so that's why I used it in the first place
My wifi is too bad to watch the whole video, so I’m good if I never even touched this website? I mean I’d guess so but better safe than sorry.
to be fair, if they aren't using some preistoric hashing system brute force is a quite dumb way to steal a password.
Can you do a video on the schlatt community discord one of the most toxic servers i know
Me who doesn't know this existed 💀
Thanks for the information
That was impressive but it was just protesting discord
and doing a horrible job at it as well
you cant reverse engineer a hashing algorithm practically, technically yes but its extremely difficult and time consuming, they would rather bruteforce the hash and try every combination and check if the two hashes match
Today yes, in future? I don't think so
@@denis2381 that is true, hardware is getting more powerful and powerful and quandtum computing is a big deal for cryptography but a lot of algorithms are being made now to be extra secure
Just makes my day better 🍵.
"Discord is full of creeps" lmao like 99% of the students at my school are on our discord server. I think the collateral damage is a bit high on this one. If "getting revenge on creeps" was the goal, that is.
LOVE THE CONTENT ❤❤
A good trick.. is to write down your password on a piece of paper and hide it somewhere only you know where to find them. This way, you keep track of multiple passwords without needing to rely on 3rd party websites
if that's the case, someone you know irl can have access to all your accounts if they get hold of the piece of paper and if you don't back up that data to other piece of paper and you loose it, you loose access to your accounts. I'd say use a open source password manager and try to back up it's data and save it in a few encrypted USB flash drives where only you know the password to the decryption key.
Thank you for warning us. LEGEND.
Are you telling someone from breach forms a? used a sequel? vulnerable. because I'm pretty sure they're using my SQL for their database.
I have cloudfare email routing setup, all i can say is its perfect and fairly easy to set up
What browser is that? The tabs look cool
problem with gmail is that you can only make a certain amount of emails with 1 single phone number. And every gmail requires a phone number each which is annoying
not really, sometimes u dont need a number
@@zmoguszmogus7257 teach pls
It's not about the money it's about sending a message
That hacker sounds like he is projecting.
For e-mail address: Just use an alias. If they spam, then delete your alias.
i feel bad for the people in discord io
Me too
i dont even know if my account was even affected at all
I don't it was a weird site anyway they should have read the data ToS and privs before they clicked.
@@dashdashdash_ wdym
@@dashdashdash_um it wasn't the site themselves it was people who breached it
at least they took some accountability
Firefox relay is good if you don’t want to use apple or Dont have a domain
ntts is always entertaining somehow
"Reverse engineer your password" yes they will use thousands of dollars worth of computing power just to crack salted passwords of discord kids
to the 2fa "this will protect your account if you use the same password for everything" is only partially right, if your email ALSO uses that PW and has no own 2fa, it can be disabled within a jiffy.
so remember², also put on 2fa on your email.
well, can’t wait to get spam emails now!
I wonder if it has been added to HIBP's database.
unlikely they need to get their hands on the database first
1:09 i heard that smoke alarm beep
If it's old, you don't need to worry. He still won't make money off the breach anyways.
Definitely, I 100% agree with this thought out logic.
8:24 bro actually said that 💀
"enable 2fa" Discord makes want to turn it off because as someoke who makes bots i hate the fact that i need to enter a 2FA code not only log into the developer portal, but also need to enter it again to generate a bot token (because they no longer let you see it after you create the bot for some reason, you habe to regen it) and same for the client secret... Like Discord i just created the bot let me see this stuff. Thats 3 times i had to enter a 2FA code all to do the same thing
Tell websites to allow all characters so we can truly secure our accounts. Not every hacker has a keyboard that can use all characters so if you use one of them they can't hack into it. Problem solved.
Settings > Language options > Change Keyboard > (insert Region which contains said characters)
Win + CTRL + O
Your solution bypassed
@@softandwet7584 The steps you provided does not match Windows 10 settings.
@@softandwet7584 Also that has nothing to do with the characters I was talking about. The ones I am talking about can not even be typed even with OSK and downloading other languages that are already installed to the system. The characters I am talking about can only be typed by those that has the keyboard. Not everyone has this only gaming computers do. A hacker would never use a gaming computer for hacks. Note not all gaming computers has this but still at least you are protected from this type of hack. Maybe allow characters that can't even be seen that way at least you know the password still and it will take them years to figure out why they can't log in even though they typed it correctly.
I use apples contacts app as a password manager.
content fast asf because of attention spam, nice video!
You sound like the guy from the CZcams channel CinemaSins, lmao.
R.I.P Users
4:36 the guy watching the video be like:
well... im fucked
Damn bro, a data breach on my birthday.
also who knows if they just appended the hash or also prefixed it or did some bit magic with it?
This would explain the 2 factor message i got the few days ago sending me my code. i changed my password anyhow for my discord lol.
02:50 No. They cannot figure out the original password - all hashing functions are made "equal" (as in all of them are one-way functions which are theoretically impossible to reverse, if you need a two-way function - look into cryptographic algorithms such as AES (most likely in GCM mode for passwords), RSA, ChaCha20, etc.). What makes a hashing function "insecure" are mainly collision attacks (basically two differing inputs producing the same hash, due to for example insecure computation or a small hash size) and "rainbow table attacks" (which in this case isn't well applicable because it was salted, which means the output of the hashing function output is completely different, and I assume dio used at least like a 32 byte salt (256 bits), which should be enough for most cases to avoid the pre-computation attacks) which is just like an index of pre-hashed common inputs.
And I doubt dio was using an "insecure" hashing algorithm like MD5, it was most likely some SHA2 (or SHA3)-family algorithms (such as SHA256, SHA512, SHA3-512, ...), or if dio was smart - Argon2.
Furthermore, although I know things about cryptography and hashing, I don't know anything about dio, but I assume they have TOTP/2FA, and if they do - I truly hope its users were aware enough to set it up in time.
I wouldn't call this an extremely sensitive data breach, but it is uncanny, and the fact that s small portion of users got some of their billing address leaked is sad, considering that identifiable information such as their discord username and email addresses got leaked with it. All this could lead to pretty nasty stalking cases, doxxing, and spear phishing attacks :/
I never heard of this site until now 💀
Good password manager recommendations
also witch browser are you using it look cool
Somebody already wrote that you can't get the password if its hashed with some exceptions (known hashes if the password is really easy).
Do you want to take that risk?
Use different passwords.
But it makes it easier to crack
@@hacksolo857 my dude the difference is your password of “star!” Being saved as “star!” That’s without a hash, Or being saved as “cb384499d9041a698a0acb8b70b7818b” that is with a hash, specifically a md5 hash (not salted)
@@EvilNeuro i am not saying you shouldnt use different passwords thats a different story
@@tommyIT ok.,, just be careful please
2:53 i was really expecting an ad there