One reason Discord.io could be holding onto old billing data is for auditing reasons. For example a bot dev told me they are required by law to keep user billing details for 5 years. Also, reversing your password from a salted and hashed password is very difficult even if you have a simple password. However I would still change passwords because it's a good practice. Also I forgot to point out that if you use the same password and your email is in the breach, someone could check if your password has been exposed in a different data breach. If it has, they could try to guess your password and get into your other accounts.

Honestly bro you deserve an award for informing us EVERY SINGLE TIME

They did well at least to take action, more than most mega corporations.

I saw "data breach" and felt worried, but as soon he explained discord,io I realized this has nothing to do with me because I don't use 3rd party discord stuff lol. Thanks for always informing us about these things (and general safety tips, like the password thing).

Hahaha, this combined with discord’s dumb little “Free boosts” thing is gonna cause alts to be wayyy too easy to get lol

He hates discord users, so he became the ultimate discord user.

in his attempt to say he hated discord, he sounded like he came straight from it 😟

Man you did an amazing job explaining exactly what happened, what everything means. I especially liked your explanation on the salted and hashed passwords. Thank you for this. Great work!

Generally your data might already have been sold (passwords n stuff) so its best to check a specific site that lists data breaches on websites and change passwords accordingly

Btw, for hashed passwords, you can't "reverse engineer" it quite easily as it requires the original password (didn't leak) and salt (that leaked) to check if the hashed password is the same as the stored one. So don't worry about your password.

I really feel like that person is in their early 20's going into 18+ servers and chats and complaining about it, then subsequently doing this. I feel like as much as he says he hates discord and the people on it, he used it at some point to get angry at users and create a motive to do this breach.

with salted and hashed passwords it's basically impossible to reverse engineer it. Though what hackers would do it try to brute force it, basically if they have the salt and know the hashing algorithm they can try the most common passwords or combinations and feed it through the hashing algorithm then compare it with the hash produced. The salt is usually stored appended or prepended to the hash so getting the salt won't be difficult. If have a very strong password you shouldn't need to worry much about your password being compromised. Because if your password isn't in a word list or isn't common or short they will have to try every combination eg aa, ab, ac, etc and this quickly adds up. However you should still change it just in case. Especially if you're using the same password on multiple websites.

No Text To Speech is the best channel about discord I've ever seen, thanks!

The aliasing service that proton uses (and owns) is simplelogin. Just for those who are curious. 6:15

I'm glad I've been juggling 70 different emails for the past 10 years (yes I frequently forget them all the time).

always a good day when ntts uploads

Petty people doing petty things, I wish we had some way to find the dudes info and get him arrested for this stuff.

Use password manager, use 2FA, use email aliases. take security measures. like that's only things you can do. most people stops at pw manager and 2FA, but this is the very reason you want to use email alias, so you don't have to worry about anything and just shut that one off.

Note for billing adresses, country dependant, a company has to keep all its money transactions for 5+ years.

You know it's forgettable when all the top comments are generic "always a good day when ntts uploads"

I have to wonder what circles this person was running in to think that half of discord is pedocontent... I've used it for several years and not really run into it, meanwhile on reddit, twitter, and facebook, 4chan.. the opposite is true.

Phew.. i felt like im about to lose all of my accounts but ive been wrong. thanks for telling us!

simply reverse engineering a salted and hashed password is some nation state kinda work, not impossible but insanely difficult (if they followed best practices that is lol)

Thank you for keeping us safe. Much appreciated.

GG on 500k you are amazing :))

I love it when trash human beings try and claim they are doing something for justice just to cover up their crimes. Like kid is calling everyone on an app a pedophile and thinks he is doing justice by SELLING their data 💀 This guy made 2 wrongs (1: Trying to make bank. 2: Calling an entire user base pedophiles) for 1 wrong (there are indeed SOME pedophiles)

That's why I made a bunch of measures to protect my useless discord account, even two of them.. It's a funny relieving feeling when having so much protection that breaking it would require a ton of efforts even after an exposed password Like, nobody would even dare (after entering it) to guess a 6 digit key that is re-generated (in other connected authentication app) every 30 seconds to pass through. Pure bliss. Wish mode people used that more often

I usually use long and complex passwords for every app/website and different emails. I suggest you use similar characters such as L and i "lI" or O0 ECT. And I tend to make my passwords stupidly long. We're talking at least- What? 10 or 15 characters? And maybe even 40 for some. With a password that's long and has a lot of characters that look alike, 2FA, And a different Email for EVERYTHING. That's about as secure as you can get to my knowledge. Of course me having anxiety I still question how Secure my stuff is and keep making my passwords longer and more complex.

About email relays I watched a video about that from Thiojoe and there is a feature where you put some special annotation in your existing email to make it. So it's the same email but with a different address. Though I do remember that he said the feature is rarely supported on websites and all you have to do to get the original address is to just remove the annotation so it's pretty easily bypassed

how do you keep beeing entertaining while teaching us stuff boa?

02:50 No. They cannot figure out the original password - all hashing functions are made "equal" (as in all of them are one-way functions which are theoretically impossible to reverse, if you need a two-way function - look into cryptographic algorithms such as AES (most likely in GCM mode for passwords), RSA, ChaCha20, etc.). What makes a hashing function "insecure" are mainly collision attacks (basically two differing inputs producing the same hash, due to for example insecure computation or a small hash size) and "rainbow table attacks" (which in this case isn't well applicable because it was salted, which means the output of the hashing function output is completely different, and I assume dio used at least like a 32 byte salt (256 bits), which should be enough for most cases to avoid the pre-computation attacks) which is just like an index of pre-hashed common inputs. And I doubt dio was using an "insecure" hashing algorithm like MD5, it was most likely some SHA2 (or SHA3)-family algorithms (such as SHA256, SHA512, SHA3-512, ...), or if dio was smart - Argon2. Furthermore, although I know things about cryptography and hashing, I don't know anything about dio, but I assume they have TOTP/2FA, and if they do - I truly hope its users were aware enough to set it up in time. I wouldn't call this an extremely sensitive data breach, but it is uncanny, and the fact that s small portion of users got some of their billing address leaked is sad, considering that identifiable information such as their discord username and email addresses got leaked with it. All this could lead to pretty nasty stalking cases, doxxing, and spear phishing attacks :/

the nerd voice at the end THAT was a beautiful performance.

as for password managers... using them is just as big a risk. because now, instead of needing to know one password for each account, they need to know one password... and have not only your account passwords for every site, but every username or login name you use for those sites.

What is the folder tabs thing you have in your browser? I've seen it in your videos and would love to use it.

"Discord is full of creeps" lmao like 99% of the students at my school are on our discord server. I think the collateral damage is a bit high on this one. If "getting revenge on creeps" was the goal, that is.

You sound like the guy from the KZbin channel CinemaSins, lmao.

you cant reverse engineer a hashing algorithm practically, technically yes but its extremely difficult and time consuming, they would rather bruteforce the hash and try every combination and check if the two hashes match

Hash's are generally pretty safe as passwodd storing methods go. Its not impossible to crack, but generally the methodology would be to figure out what the hashing algorithm was, generate a wordlist that might contain the password needed, and hashing each of those passwords using the hashing algorithm and seeing if the hashs match. Salting a hash greatly helps, but people have cracked salted hash's before. Im too new to hacking to know how. Still a good idea to change your password, but also good to know that this is much better than them storing your password in plaintext, aka english

Once passkeys are supported in Discord, these scams should be no longer effective.

iCloud+ also lets you do the custom email addresses if you're already using that.

on email forwarding anonaddy is pretty good but some companies have started to blacklist using forwarding/relay alias so you might need a backup or 2nd email regardless

just an fyi, a data breach is a case of when and not if. plus, you will only know about it only if the company decides to reveal it. assume that EVERYTHING is breached

5:10 personally I just use the password manager that comes with iCloud, works great on your Apple devices, but there are also extensions for Chrome and Firefox

to the 2fa "this will protect your account if you use the same password for everything" is only partially right, if your email ALSO uses that PW and has no own 2fa, it can be disabled within a jiffy. so remember², also put on 2fa on your email.

for differenting passwords i wold use an algorithm for the password containing some static elements combined with some variable characters that involve the websites middle 3 characters moved 1 right and 3 down on the qwerty keyboard

i clicked on this because i thought i had USED the site before. so glad to know it only affects those who made an account on there. my prayers go out to you poor guys.

That was impressive but it was just protesting discord

Just tried to join a server and it wanted me to add a bot that would join servers for me. Thanks man

The hashing algorithm is really important to determine if something is safe or not.

Good on you for using FOSS software like bit warden

8:24 bro actually said that 💀

1:09 i heard that smoke alarm beep

content fast asf because of attention spam, nice video!

careful with breachforums, those guys are nuts lol

There are times in my life I'm happy i didn't scoop around stuff like this (my dad's pc survived me trying to download free minecraft over the course of half a decade)

4:36 the guy watching the video be like: well... im fucked

A good trick.. is to write down your password on a piece of paper and hide it somewhere only you know where to find them. This way, you keep track of multiple passwords without needing to rely on 3rd party websites

Thank you for warning us. LEGEND.

Thing is, with a web space and a domain you can get a fully custom invite link for less then 1,50 month

Just in general DONT use the same password on multiple sites, except if you really don't care about the account I guess. There is nothing assuring you the person running the website doesn't simply sell your password.

Loving these videos!

good to know that i use a different custom vanity link service, and not this one i didn't get hacked

I'm cat cat, thanks for accepting my idea, ntts

at this point even discord got hacked in discord

this is the prime reason why i use discord as is because i sure as hell don't want people getting my private info cuz every single time something goes to shit with it

About the single email for every thing, theres still more nerdiness than cloudflare email routing. Running a selfhosted email server and then creating aliases there (definitely did not do that nope no way ;) )

to be fair, if they aren't using some preistoric hashing system brute force is a quite dumb way to steal a password.

Thank god i aint using that 💀

You did a good job with this vid, but 2fa isn’t great if u get sim swapped etc

also witch browser are you using it look cool

"enable 2fa" Discord makes want to turn it off because as someoke who makes bots i hate the fact that i need to enter a 2FA code not only log into the developer portal, but also need to enter it again to generate a bot token (because they no longer let you see it after you create the bot for some reason, you habe to regen it) and same for the client secret... Like Discord i just created the bot let me see this stuff. Thats 3 times i had to enter a 2FA code all to do the same thing

Me who doesn't know this existed 💀 Thanks for the information

Dudes sounding like AsianHalfSquat and Valiksbum at the same time

He's not even a hacker it's just a simple SQL Injection. ;-;

Thankfully i I’m too lazy to do this stuff so i wasn’t apart of this data breach

2:53 i was really expecting an ad there

problem with gmail is that you can only make a certain amount of emails with 1 single phone number. And every gmail requires a phone number each which is annoying

This is why you shouldn't trust these websites

ntts is always entertaining somehow

Are you telling someone from breach forms a? used a sequel? vulnerable. because I'm pretty sure they're using my SQL for their database.

breached? didnt pom get arrested? thats a honeypot for sure mate 1:23

2:15 Interesting how you blurred (or have you blurred...?) the information in the leak website where this individual is selling such information, but did not blur the link. (or it was already blurred on the website, I'm not going there to check, lol) Thank you for informing about this, however, i was not using this service, but it's good to be informed non-the-less.

Tell websites to allow all characters so we can truly secure our accounts. Not every hacker has a keyboard that can use all characters so if you use one of them they can't hack into it. Problem solved.

Of course this happens when paywall stuff like custom invite links. Instead, people resort to 3rd party "solutions" that end up in more harm than good. Disgusting, discord.

What browser is that? The tabs look cool

I have cloudfare email routing setup, all i can say is its perfect and fairly easy to set up

Just makes my day better 🍵.

no one ever says, reverse engineer a password, you crack passwords no reverse engineer them

also who knows if they just appended the hash or also prefixed it or did some bit magic with it?

LOVE THE CONTENT ❤❤

For e-mail address: Just use an alias. If they spam, then delete your alias.

But does this affect actual discord? Like what happened with g+ getting sued because of a data breach?

If it's old, you don't need to worry. He still won't make money off the breach anyways.

this isnt a discord data breach right? like if you dont use discord io your safe?

2FA doesn't do any good though. Hackers been bypassing this for years...

i feel bad for the people in discord io

That hacker sounds like he is projecting.

does anyone know why i get the discord notification sound when no one is texting me? (i also have all servers muted)

6:35 i don’t have iCloud+ but I still get the “hide my email” option

Damn bro, a data breach on my birthday.