A Discord User Hacked into a Company!
Вставка
- Опубліковано 15 чер 2024
- Imagine being a large cloud computing company. You know, computer nerd wizardry. And then kaboom, a teenager with a room temperature IQ comes out of the woodwork to go wild.
Yep, a Discord scammer managed to hack a large company with a sophisticated technique. But was this hacking technique actually sophisticated? Or is Shadow, the company, lying to you?
SOCIALS
-----------------------------------------------------------------------------
Discord Server
/ discord
Twitter
/ notexttospeech
TIMESTAMPS
-----------------------------------------------------------------------------
00:00 - Advanced level hacking
01:16 - The scope of the breach
02:29 - How did the hacker do it?
04:44 - Preventable?
05:31 - Bankruptcy?
06:32 - How to protect yourself - Наука та технологія
Whenever you hear from a company that they've been a victim to a 'highly sophisticated' attack, it usually means that some dumb employee fell for a simple social engineering trick.
Very true
W statement
Or an employee could deliberately download something that is obviously a virus to take down the company for... various reasons COUGH COUGH scamming people COUGH COUGH.
@@victoralexandervinkenes9193insider attacks are surprisingly common
Yeah the employee fell for the most known discord malware by accepting a file from a friend of there that was hacked.
I'm shocked shadow didn't implode much sooner. That was by far one of the dumbest breaches imaginable. A 12 year old could of compromised that company.
One of the most important things I learnt on the internet that the common person is not even half as intelligent as you think they are
You're way too optimistic. Also "could of"?? Contractions are not hard.
@@cesj1 It's also not that hard to avoid correcting other people online, where formality isn't as commonplace or required. Yet, we have plenty of people doing that same exact thing, so I guess it's an urge just to point them out? xD
@@mcburn_ You're acting as if that's the only thing I said. Simple contractions truly aren't hard. Also footnote: I do whatever I want to.
No, a 12 years wouldn't have been able to hack a steam developper account and then use that to hack shadow.
The game was not sent as a .exe on discord, it was a steam link to a compromised game. It's just as much steam fault here for putting virus on their plateform.
yea, the reality is, a surprisingly high amount of companies have very poor security, you'll be surprised how many companies genuinely use "123" type of passwords. But the fact that this was a Cloud virtual machine related company and not a regular restaurant or something it's outrageous
No. Not really.
u mean `1qaz!QSX`?
atleast not 0000 type of passwords
@@kevinwebster7868 At least in my experience, a lot of small businesses have old people on top that don't know or care about security (some young people not excluded), "123" type of password was more of a hyperbole.
Maybe more like "Very poor security practices"
But yea, I've actually seen "myCompany123" more than once
Reminder that Sony was storing passwords in plaintext. Not even weak hashed.
Incredible! Imagine running a business providing virtual machines in the cloud, YET an employee decided to run a random EXE on their own production machine...
It wasn't a .exe sent on discord but a link to a compromised steam game.
Doesn't excuse bad security tho
@@jerejere-qv7xk still an executable binary.
@@jerejere-qv7xk source?
Bruh you realise lowest employees have usually 0 trainings in companies they're only train to answer customers
It's the issue of companies, they think only IT people should be trained on this and non-IT people don't see the point in receiving those trainings
The problem is that any smart guy will take his shot on the most careless employees that will guarantee his chances to succeed
It's like the rubber ducky hack, it all relies on the guy who will pick it up and be curious enough to see what's inside without precaution
Look up to Ulcan, he's a crazy french hacker that mostly succeeded through social engineering, he even freed random people from jail just by calling 2 cops who he knew weren't on the same floor and still had to interact with each other. He just learnt the day before how cops are used to talk together.
@@jerejere-qv7xkthats even worse
You'd just think Shadow the Hedgehog would have a stronger sense of internet safety. A shame, really
Dude... Shadow is an old man lol.
I bet Sonic hacked it
We live and learn, that's what matters.
yea such a shame
He should've used 70 alternative accounts, like Eggman.
As soon as i read "social engineering" i immediately knew what happened. A friend recently fell for it lol
I would compare the security of these companies to swiss cheese, but that's insulting perfectly good cheese.
Those defenses aren't even paper width
A fun fact is that in aviation and increasingly safety overall a "swiss cheese" model is used
@@kacperkonieczny7333They're probably very strong, it's the, uh, PEBKACs that ruin everything...
A naked man fears no pickpocket.
that's why I don't fear pickpockets at the grocery store
A collage student is like naked man
Pickpocket is the least of his worries when m o l e s t e r s exist.
as someone who works in IT, youre right, we do in fact assume that everyone is an idiot
and people _still_ manage to do worse than i could ever have thought of
also, love the privacy and security tips!
I used to have shadow, and I stopped because not only is the product garbage (6 years old hardware), the support is beyond imaginable, like they take 5 days to send a mail saying "We'll get back to you". Never subscribe to it.
I've encountered more adults, generally boomer and older, that will trustingly download and run programs that lead to them infecting their PCs.
The 2021 bankruptcy story is well-known: They charged too cheap for the service at that time, but the processing load exceeded the benefits. They almost got ruined. They have been acquired after this bad move.
For the rest, it's exactly why I agreed with the tech company where I worked where they were **decent** protection measures. Not good, only decent, because I don't think this is at all common. The regular users only saw, "Our service is so bad. We can't do anything easily!" In a purely non-tech company, it isn't even possible to explain to someone why giving them my session password is a bad idea. "I'm not going to steal your account, you know?" That was a very competent colleague of mine, (I'm not being ironic, her job was different) looking at me like I was being stupid. Computers and good practices are something people view as something absolutely unimportant... "Until they get burned." To quote a famous social engineering book.
I wish they were more active with helping compromised accounts, poor people waiting weeks for a reponse
I own a domain and I run a ton of email addresses - basically giving each service their unique one. And to be honest, it's shocking to see how many services are sharing data - willingly or unwillingly.
catch all?
no, as a lot of scammers do typos or invalid addresses to catch that as well.
Why does it sound like you're snooping...?
@@erikkonstas not sure what you're trying to say.
@@Toei-Rei How do you know what your customers do with their emails?
Holy frick, how gullible you have to be to have cloud-based company and not having InfoSec dept. Is this Shadow some fresh startup or something?
I don’t think they are a new company considering they have such a large userbase
That department can't do much when the evil is manually invited inside...
I wrote a news post regarding this incident and I had to stop for 5 minutes because I couldn't stop laughing at the "sophisticated method". 😂
If Shadow is a french company then the GDPA is going to slap them hard for this kind of breach
le truc le plus vrai du jour
Thé GDPR Is a Law
Is thé CNIL that will slap their ass
No. GDPR isn't going to do anything since they've told their customers very *very* fast about the data breaches and gave an explaination (although quite blurry) of how the breach happened.
A lot company will have their customer's data breached at some point or another. And the CNIL doesn't beat companies' asses just because they got hacked, even if it was as stupid as that.
Source: I worked with GDPR and the CNIL for a bit of time.
@@BashirooThen what you're telling me is that these organizations meant to enforce the laws are not actually completing the purpose the law was designed to achieve.
@@maiyannahGDPR allows you to store customers' data, but customers have the right to have their data deleted.
its like discord is in a land field, and just keeps stepping on mines.
I'm surprised so many companies don't implement the zero trust model.
Remember: don't shame individuals for falling for scams. It's ok to make fun of a large company for not having good IT but the practice of shaming idividuals makes people not want to talk about this kind of thing out of fear of being shamed and so we A.) don't get to learn as much from other people's mistakes because they won't want to share and B.) people won't ask questions they think are "stupid" and will try harder to just figure things out themself which is more likely to get them scammed. We need openness and that can't happen if we're shaming people for things that are only obvious in retrospect or with existing knowledge not everyone has.
Well then, I guess I'm glad I only ever put one of my throwaway emails into Shadow and no real info.
imagine getting hacked by a discord user
Nah fr discord users are all skids
cringe
@@SwordfighterRedfor myself
Love your content man, keep the hard work up!
I' an IT Tech and i do notice a lot of companies don't have things locked on the computer from letting users installing things onto the pc
no joke, my pc broke a few days ago and i was about to go buy a cloud computer from SHADOW. its safe now, but the coincidence is amazing lol. (didnt see the full video yet only the first minute).
and also, they mentioned steam in the video, a few days ago a situation occured on steam where people managed to bypass steams antivirus and upload games with malware onto steam. i think they might be linked? i dunno me stupid
This happend to me, (Also in September), like got a message from a friend for testing a game
It is a pain to communicate with the Discord Support
when did 4chan migrate to discord
_Long ago, beyond the ages, pass the mountains and rivers the council of the 4chan decided to migrate to a new platform_
Bruh they literally straight download the malware, the only trickery was renaming a file and making a crappy website. I had no idea about this, keep up the great work!
Dang, I fell for this like a few weeks ago. Secured everything except for my discord account at this point, so don't worry about that. I'm an idiot that sits at their computer all day, these are supposed to be professional workers.
Where I work, we are allowed to download and run anything that isn't forbidden by IT. We do however need to keep our personal stuff on a separate account from our work stuff if using a personal computer. For accessing customer data we have a secure laptop that restricts what programs we can run and what websites we can visit.
Wow, you're allowed to do anything that isn't not allowed?
Yea, we are told what we can't do, not what we can.@@DarkGob
Companies will never take accountability unless they are forced to either from damning evidence or legally
discord needs to hire this man
How the FUCK, does a 500k+ customer company. NOT take security seriously??
We love NTTS content!
In India it is now illegal to store CC info, you have to tokenise it. Now they have introduced direct tokenisation at bank's website, so you just use token at other websites.
Um WTF... and how would most websites work then? I don't think they are designed to accept some random "token" instead of normal CC info...
They are forced to. Once you realise you just need a way to link back to the bank account, you don't really need CC info. A unique identifier works. Payment gateway implementation is easier as the complexity is on the bank's side.
Payment data of Indian customers are also mandated to be stored only inside India.
@@curious_banda I feel like that would harm Indians more than it would help them... imagine if they want to pay for something at a non-Indian site without a server in India, what are they supposed to do? Is this basically capital controls?
@@erikkonstas Which card network doesn't have a server in India? You need to realise transactions happen via payment gateways of these networks (Visa is a network), the website doesn't actually handle it. By payment data and processing there is specific data involved, it doesn't just mean the bill generated by a merchant.
MasterCard cried to the US government about it. Nothing happened, they were forced to do else all MasterCards were going to get blocked in India. New signups were already blocked due to their non-compliance and cards of domestic rival started getting issued.
Plus as of now tokenisation isn't enforced on international files (though they should be), it is domestic mandate only. Fortunately, relatively (on scale) the number of international transactions is not big compared to domestic.
Also, card transactions require OTP in India. Same is not the case for international transactions as the mandate is for domestic gateways.
What happened is that they send a link to a steam game that was compromised. So the employee trusted the steam platform where they downloaded the game from.
It is linked to a earlier hack of a steam developer account.
They went bankrupt 2 years ago but were bought back buy ovh owner, nothing lost by the users.
why did they download it on work computer
@@Zeda1002 shadow pc is mostly sold as a gloud gaming subscription. He probably wanted to test if the game would run on actual shadow hardware. But yeah it's still stupid.
@@jerejere-qv7xk "test if the game would run on actual shadow hardware" by playing it on their work pc?
@@Minecon724 I'm guessing their work pc was shadow hardware. But like I said it's still stupid. The fact that the employee could have access to all of that was a clear lack of security too.
@@jerejere-qv7xk lmao testing on prod instead of making a safe test system
Truly a master at work
love the content keep it up mr
i expect cloud computing to be insanely sophisticated because all the tokens usually expire in 2-3hours sometimes a week and refresh is easy to build.
all the cloud providers i have worked with have a special token for each service. these tokens are huge strings of letters almost impossible to crack.
and we the users of these services are requested to be careful in our production environment.
I would be so fed up if my token expired every "2-3 hours"...
I had Shadow before the OVH buy out. It was a great service sucks this happened for sure.
I used to use shadow pre bankruptcy, it was handy for playing PC VR games on my oculus quest remotely. I've been slowly watching them circle the toilet drain since then, my subscription was long cancelled in 2020 and account since deleted, but as someone who's been keeping an eye on them this isn't surprising really. On the bright side, none of the information I used for shadow is up to date anymore since I signed up before coming out lol
As an Incident Responder a I see this a lot. Less than 1% of cases are actually "sophisticated", most of the cases are dump stuff like this and they add the "highly sophisticated" just to safe face
Bro I was waiting for you to say "but this could have been prevented by today's sponsor guardio"
Wow, I am very surprised I avoided this exact malware problem without knowing I was right.
imagine when discord is not safety💀
When discord not is trust and not is safety
whn dacad no hayp nd hker gt ip adares
So the company had an "idiot" on the computer that day
So this is why you dont do that on work computers
1:08 ay finally someone giving a hint as to how much it fucking is
A lot of people don’t take cyber security seriously, they always think “I don’t care if my stuff gets leaked, why would anyone target some random dude like me”
People finally talk about shadow and it's about the data breach. Lovely
imagine being a "hacker" and going thru their website to only find yourself?
truly when company that got hacked
Funny fact: I tried naming my little studio Shadow Studios as a child but I saw this logo and I was like nope we can't do that
oh hey i got hacked like that, i am really glad i am one of the people that got to keep my account :)
Poor Cookie Monster gonna get his cookies stolen 😂
Not funny
This, Actually sucks.
I am own/rent a computer from their site, listining to this from NTTS is just mind blowing.
(I also received the email, and I thought I was safe, it seems that I am not. I still dont know if I should cancel my plan, as I use my computer as a gaming pc, due to me not owning a gaming pc, so I am kinda stuck in a tough spot)
I cancelled it, gonna get my own PC and as for gaming use GeForce Now with fake details. This was the final straw for me, billing address, full name and DOB isn't like a credit card that can be terminated.
Revolut offers virtual cards with costume limits (x € one time, per month, or x times only) too
Jokes on you, I don't have a credit score
imagine seeing the same thing happen to discord
7:38 This is the best idea! Especially if after a year you forget your password and the site asks for your date of birth and takes it as a security question and you're screwed (it happened to me on two sites)
And that's why we use something called a *password manager* , as long as its name is NOT LastPass...
Total Cloud Computing Destruction
Love Your Videos No Text To Speech!
i liked my own comment too
I always lie about my birth haha.
These Videos are so important!
Good Content, keep up the good work!
me, a ceo entrusting that my employee that used chatgpt to apply wont download viruses on his work computer
Social Engineering and Highly Sophisticated dont go in the same sentence.
if you are going to make up a DOB make sure it is same across different services because oauth2 might give a service acess to your DOB and if they arent same they might seem suspicous
like, just have a similar DOB for dumb shit, and your real one for actual gov shit
@@oxymore13 yeah
OAuth2 is the authentication protocol, not a service, it's one site connecting to another via it that could do that.
@@erikkonstas yeah
And they didn't even clear their cache...
Good that I don´t have Shadow anymore since they raised their prices
Shadow should have used shadow to run the game lol
whenever you post a video i am almost always eating pasta
is this a coincidence
"He's in the walls, HE IS IN THE GODDAMN WALLS"
As someone who works in the industry, you should assume all security is a slice of swiss cheese. You should have multiple layers of different systems designed to catch out many types of attacks. It's not really surprising about any new data breach. Corperations will never take security seriously because that would eat too much into their bottom line. You build a wall around your business but didn't bother to add multiple inner walls with tighter checking at each gate. Social Engineering will always be an exploitable attack vector if the employee has too much access to the internal systems they use.
The real way to stop your data getting leaked is to just never give it to them in the first place. If there is no legitimate need for information, give them fake information. Use burner emails or email aliases you can create and destroy. Companies are only looking at the front door and thinking its the only way in, unbenounced to the many holes and cracks others have found in their wall.
Wait, virtual cc isnt standard in other countries? In Czechia, even banks offer you to create Virtual CC, that will last for few years, or one time Virtual CC that will expire after 30 minutes and you can add limit, that can be withdrawn from it
This Discord hacker is literally so advanced they could even work for the FBI or something similar to that instead of scamming people around.
Hello nigga
💀
@@nubidubi23Your profile picture is literally a perfect reaction to that comment
A hint for whats to come.
bro got god rank in a hacking site 💀
Sophisticated. Not only are companies now getting scammed by the most basic scams in history, but they also lie about them being “sophisticated”. Now hear me out: Just telling that stupid truth straight isn’t easy, so understand them a bit. But I still do agree that it is very, very, very disappointing. Other big companies should prevent this ASAP.
It was quite sophisticated, ntts was missinformed on what happened because of the stupidly written press release.
- Hijack of a steam developper account
- Upload of a malware specific for shadow disguised as a game update on steam
- Send an employee the link to the game on steam
- Classic cookie attack to access the server without credentials. (Not sure about this part)
Still there should have been system in place to prevent that.
Bro’a dental care really fell down
THIS IS A SIGN FOR ME 😭😭😭
Ahh Windows 7, how I have missed you.
Dayum im surprised with how that even happened 🤓
You might say, "Shadow is a rather shadow-y company"!
This isn't the first time a young man has breached the data of a large company
LOL I think I know what you're talking about... 😂
@@erikkonstas Tell me
@@shrimpaerospace Well, NTTS had made a video a while back, about how some youngster with access to military classified data exposed it in the name of War Thunder...
I just got my discord account hacked by one of these, Everyone please be aware of this hack, It may look easy to point out but I fell right through it, Please be careful!
Hello. Every time I try to log in to Discord, I can't log in. The discord icon in the middle keeps turning around and saying "we are investigating an issue with twitter links not getting embedded" and it says this. Could you help ?
Ahh, it's fine. They should just change all of that information, change your address, credit card expiration, all of that. Easy.
I'm so over the defeatist attitude of "oh everyone has my data anyway so who cares" like I got so much shit from people when I ditched windows for Linux like "who cares dude they already have all your info anyway what's it matter now?" It's such a garbage mindset I can't even waste brainpower arguing against it
Where is that *D A M N* cookie!? ~ Shadow, not the company.
I thought about using Shadow PC at some point in the past... glad I didn't, considering their IT and employees are that incompetent.
(0:26) Ouch. I immediately recognised Shadow as they, like Discord, originally marketed their service to PC gamers, but much like the latter, the former branched out.
I had considered subscribing to their service, but ended up not doing so as they didn't have a server location in the region I live in, and had since moved on to a DIY solution.
(0:56) I think Shadow were competing with Microsoft's own Azure Virtual Desktop and Windows 365 services with that. Wow.
(1:05) I remember I first heard about them through a "My Mate VINCE" video where they loaned the host an account on a server in France and one of their preconfigured thin clients.
this is just a normal discord group chat
I've been looking into getting a virtual credit card to prevent this sort of stuff but unfortunately I don't think there's any that are available for my country
i think i lost 2 brain cells
You should make a video about the discord vulnerability. Discord has a CSAM detection system , which is kinda obvious. If you post an image and discord detects CSAM from any frame, it'll ban you instantly. I think you can guess where this is going; some creep had a video of CSAM, the frame starting with a dark skinned guy eating popcorn. If you take a screenshot of that frame, which does not include any inappropriate content, discord will detect it and instantly ban you.
Shadow is now owned by OVH but yeah that a big weird company even today
Speaking of hacking, I think I may have a virus, as I keep getting the connection refused error, however my internet is fine, I've checked it all, and it's only with my computer account, all my other accounts are fine. I've deleted my memes folder, mp3 songs, and downloads, what should I do next?
The email thing so true lmao
as a 15 year old and never fell for a scam this is just sad
1. make API safe from the public
2. make API allow you to acess everything in the comany's private network cause why not
2!
Last year I tried shadow and got sick of it because of the monthly price, doged a bullet giving them up so soon
seytonic 2: electric boogaloo