One reason Discord.io could be holding onto old billing data is for auditing reasons. For example a bot dev told me they are required by law to keep user billing details for 5 years. Also, reversing your password from a salted and hashed password is very difficult even if you have a simple password. However I would still change passwords because it's a good practice. Also I forgot to point out that if you use the same password and your email is in the breach, someone could check if your password has been exposed in a different data breach. If it has, they could try to guess your password and get into your other accounts.

They did well at least to take action, more than most mega corporations.

Honestly bro you deserve an award for informing us EVERY SINGLE TIME

He hates discord users, so he became the ultimate discord user.

I saw "data breach" and felt worried, but as soon he explained discord,io I realized this has nothing to do with me because I don't use 3rd party discord stuff lol. Thanks for always informing us about these things (and general safety tips, like the password thing).

in his attempt to say he hated discord, he sounded like he came straight from it 😟

Hahaha, this combined with discord’s dumb little “Free boosts” thing is gonna cause alts to be wayyy too easy to get lol

Generally your data might already have been sold (passwords n stuff) so its best to check a specific site that lists data breaches on websites and change passwords accordingly

Man you did an amazing job explaining exactly what happened, what everything means. I especially liked your explanation on the salted and hashed passwords. Thank you for this. Great work!

Btw, for hashed passwords, you can't "reverse engineer" it quite easily as it requires the original password (didn't leak) and salt (that leaked) to check if the hashed password is the same as the stored one. So don't worry about your password.

I really feel like that person is in their early 20's going into 18+ servers and chats and complaining about it, then subsequently doing this. I feel like as much as he says he hates discord and the people on it, he used it at some point to get angry at users and create a motive to do this breach.

Just in general DONT use the same password on multiple sites, except if you really don't care about the account I guess. There is nothing assuring you the person running the website doesn't simply sell your password.

Thank you for keeping us safe. Much appreciated.

with salted and hashed passwords it's basically impossible to reverse engineer it. Though what hackers would do it try to brute force it, basically if they have the salt and know the hashing algorithm they can try the most common passwords or combinations and feed it through the hashing algorithm then compare it with the hash produced. The salt is usually stored appended or prepended to the hash so getting the salt won't be difficult. If have a very strong password you shouldn't need to worry much about your password being compromised. Because if your password isn't in a word list or isn't common or short they will have to try every combination eg aa, ab, ac, etc and this quickly adds up. However you should still change it just in case. Especially if you're using the same password on multiple websites.

GG on 500k you are amazing :))

I'm glad I've been juggling 70 different emails for the past 10 years (yes I frequently forget them all the time).

Petty people doing petty things, I wish we had some way to find the dudes info and get him arrested for this stuff.

No Text To Speech is the best channel about discord I've ever seen, thanks!

The aliasing service that proton uses (and owns) is simplelogin. Just for those who are curious. 6:15

Use password manager, use 2FA, use email aliases. take security measures. like that's only things you can do. most people stops at pw manager and 2FA, but this is the very reason you want to use email alias, so you don't have to worry about anything and just shut that one off.

Good on you for using FOSS software like bit warden

how do you keep beeing entertaining while teaching us stuff boa?

Phew.. i felt like im about to lose all of my accounts but ive been wrong. thanks for telling us!

always a good day when ntts uploads

Note for billing adresses, country dependant, a company has to keep all its money transactions for 5+ years.

for differenting passwords i wold use an algorithm for the password containing some static elements combined with some variable characters that involve the websites middle 3 characters moved 1 right and 3 down on the qwerty keyboard

You know it's forgettable when all the top comments are generic "always a good day when ntts uploads"

Loving these videos!

I have to wonder what circles this person was running in to think that half of discord is pedocontent... I've used it for several years and not really run into it, meanwhile on reddit, twitter, and facebook, 4chan.. the opposite is true.

I usually use long and complex passwords for every app/website and different emails. I suggest you use similar characters such as L and i "lI" or O0 ECT. And I tend to make my passwords stupidly long. We're talking at least- What? 10 or 15 characters? And maybe even 40 for some. With a password that's long and has a lot of characters that look alike, 2FA, And a different Email for EVERYTHING. That's about as secure as you can get to my knowledge. Of course me having anxiety I still question how Secure my stuff is and keep making my passwords longer and more complex.

5:10 personally I just use the password manager that comes with iCloud, works great on your Apple devices, but there are also extensions for Chrome and Firefox

iCloud+ also lets you do the custom email addresses if you're already using that.

Just tried to join a server and it wanted me to add a bot that would join servers for me. Thanks man

The hashing algorithm is really important to determine if something is safe or not.

on email forwarding anonaddy is pretty good but some companies have started to blacklist using forwarding/relay alias so you might need a backup or 2nd email regardless

simply reverse engineering a salted and hashed password is some nation state kinda work, not impossible but insanely difficult (if they followed best practices that is lol)

About email relays I watched a video about that from Thiojoe and there is a feature where you put some special annotation in your existing email to make it. So it's the same email but with a different address. Though I do remember that he said the feature is rarely supported on websites and all you have to do to get the original address is to just remove the annotation so it's pretty easily bypassed

Hash's are generally pretty safe as passwodd storing methods go. Its not impossible to crack, but generally the methodology would be to figure out what the hashing algorithm was, generate a wordlist that might contain the password needed, and hashing each of those passwords using the hashing algorithm and seeing if the hashs match. Salting a hash greatly helps, but people have cracked salted hash's before. Im too new to hacking to know how. Still a good idea to change your password, but also good to know that this is much better than them storing your password in plaintext, aka english

Just makes my day better 🍵.

good to know that i use a different custom vanity link service, and not this one i didn't get hacked

You did a good job with this vid, but 2fa isn’t great if u get sim swapped etc

I love it when trash human beings try and claim they are doing something for justice just to cover up their crimes. Like kid is calling everyone on an app a pedophile and thinks he is doing justice by SELLING their data 💀 This guy made 2 wrongs (1: Trying to make bank. 2: Calling an entire user base pedophiles) for 1 wrong (there are indeed SOME pedophiles)

the nerd voice at the end THAT was a beautiful performance.

What is the folder tabs thing you have in your browser? I've seen it in your videos and would love to use it.

That's why I made a bunch of measures to protect my useless discord account, even two of them.. It's a funny relieving feeling when having so much protection that breaking it would require a ton of efforts even after an exposed password Like, nobody would even dare (after entering it) to guess a 6 digit key that is re-generated (in other connected authentication app) every 30 seconds to pass through. Pure bliss. Wish mode people used that more often

i clicked on this because i thought i had USED the site before. so glad to know it only affects those who made an account on there. my prayers go out to you poor guys.

content fast asf because of attention spam, nice video!

as for password managers... using them is just as big a risk. because now, instead of needing to know one password for each account, they need to know one password... and have not only your account passwords for every site, but every username or login name you use for those sites.

Thing is, with a web space and a domain you can get a fully custom invite link for less then 1,50 month

also witch browser are you using it look cool

at this point even discord got hacked in discord

There are times in my life I'm happy i didn't scoop around stuff like this (my dad's pc survived me trying to download free minecraft over the course of half a decade)

Once passkeys are supported in Discord, these scams should be no longer effective.

About the single email for every thing, theres still more nerdiness than cloudflare email routing. Running a selfhosted email server and then creating aliases there (definitely did not do that nope no way ;) )

just an fyi, a data breach is a case of when and not if. plus, you will only know about it only if the company decides to reveal it. assume that EVERYTHING is breached

careful with breachforums, those guys are nuts lol

You sound like the guy from the KZfaq channel CinemaSins, lmao.

you cant reverse engineer a hashing algorithm practically, technically yes but its extremely difficult and time consuming, they would rather bruteforce the hash and try every combination and check if the two hashes match

What browser is that? The tabs look cool

to be fair, if they aren't using some preistoric hashing system brute force is a quite dumb way to steal a password.

2:53 i was really expecting an ad there

Thank you for warning us. LEGEND.

this is the prime reason why i use discord as is because i sure as hell don't want people getting my private info cuz every single time something goes to shit with it

LOVE THE CONTENT ❤❤

Me who doesn't know this existed 💀 Thanks for the information

That was impressive but it was just protesting discord

Definitely, I 100% agree with this thought out logic.

Can you do a video on the schlatt community discord one of the most toxic servers i know

I have cloudfare email routing setup, all i can say is its perfect and fairly easy to set up

so many good advice on here

Ah. , you did the idea! nice job.

02:50 No. They cannot figure out the original password - all hashing functions are made "equal" (as in all of them are one-way functions which are theoretically impossible to reverse, if you need a two-way function - look into cryptographic algorithms such as AES (most likely in GCM mode for passwords), RSA, ChaCha20, etc.). What makes a hashing function "insecure" are mainly collision attacks (basically two differing inputs producing the same hash, due to for example insecure computation or a small hash size) and "rainbow table attacks" (which in this case isn't well applicable because it was salted, which means the output of the hashing function output is completely different, and I assume dio used at least like a 32 byte salt (256 bits), which should be enough for most cases to avoid the pre-computation attacks) which is just like an index of pre-hashed common inputs. And I doubt dio was using an "insecure" hashing algorithm like MD5, it was most likely some SHA2 (or SHA3)-family algorithms (such as SHA256, SHA512, SHA3-512, ...), or if dio was smart - Argon2. Furthermore, although I know things about cryptography and hashing, I don't know anything about dio, but I assume they have TOTP/2FA, and if they do - I truly hope its users were aware enough to set it up in time. I wouldn't call this an extremely sensitive data breach, but it is uncanny, and the fact that s small portion of users got some of their billing address leaked is sad, considering that identifiable information such as their discord username and email addresses got leaked with it. All this could lead to pretty nasty stalking cases, doxxing, and spear phishing attacks :/

well, can’t wait to get spam emails now!

Good password manager recommendations

Damn bro, a data breach on my birthday.

For e-mail address: Just use an alias. If they spam, then delete your alias.

Are you telling someone from breach forms a? used a sequel? vulnerable. because I'm pretty sure they're using my SQL for their database.

That hacker sounds like he is projecting.

I wonder if it has been added to HIBP's database.

Firefox relay is good if you don’t want to use apple or Dont have a domain

even for my first name last name i have three emails for school, work, and personal (local) stuff

"enable 2fa" Discord makes want to turn it off because as someoke who makes bots i hate the fact that i need to enter a 2FA code not only log into the developer portal, but also need to enter it again to generate a bot token (because they no longer let you see it after you create the bot for some reason, you habe to regen it) and same for the client secret... Like Discord i just created the bot let me see this stuff. Thats 3 times i had to enter a 2FA code all to do the same thing

problem with gmail is that you can only make a certain amount of emails with 1 single phone number. And every gmail requires a phone number each which is annoying

best thing to see on my yt recommended

But does this affect actual discord? Like what happened with g+ getting sued because of a data breach?

4:36 the guy watching the video be like: well... im fucked

I didn’t even know this existed.

1:09 i heard that smoke alarm beep

to the 2fa "this will protect your account if you use the same password for everything" is only partially right, if your email ALSO uses that PW and has no own 2fa, it can be disabled within a jiffy. so remember², also put on 2fa on your email.

That site doesn't use money btw. They use credits.

"Discord is full of creeps" lmao like 99% of the students at my school are on our discord server. I think the collateral damage is a bit high on this one. If "getting revenge on creeps" was the goal, that is.

I use apples contacts app as a password manager.

Dudes sounding like AsianHalfSquat and Valiksbum at the same time

Thankfully i I’m too lazy to do this stuff so i wasn’t apart of this data breach

If it's old, you don't need to worry. He still won't make money off the breach anyways.

this isnt a discord data breach right? like if you dont use discord io your safe?

8th day of me waiting a reply to my ticket from discord’s indian tech support…

A good trick.. is to write down your password on a piece of paper and hide it somewhere only you know where to find them. This way, you keep track of multiple passwords without needing to rely on 3rd party websites

ntts is always entertaining somehow

8:24 bro actually said that 💀