Exposing a Discord Bot's Secret...
Вставка
- Опубліковано 16 тра 2024
- I get told a lot of secrets about things happening on Discord, but there’s this secret that I have to tell you. A popular Discord bot called Mushroom, suffered a data breach. And it seems like they don’t want you to know (because it’s embarrassing how it happened).
Now this data breach / vulnerability / whatever you want to call it, is a bit different compared to some other data breaches I've covered. There's a lot of dumb and there's a lot of smart going on.
LINKS
-----------------------------------------------------------------------------
Blog Post
stealing.info/mushroom-gg/
SOCIALS
-----------------------------------------------------------------------------
Discord Server
/ discord
Twitter
/ notexttospeech
TIMESTAMPS
-----------------------------------------------------------------------------
00:00 - What is a mushroom?
00:57 - The breach
03:18 - The exposed information
04:18 - This is still bad
05:53 - More Issues - Фільми й анімація
Remember guys, getting exposed is always way worse than owning up to your own mistakes like a champ.
ok
ok
I don't have the courage to admit that I am a furry and I'm afraid of getting exposed...
@@BeanKing-tm9bhyou have no vids and youre clearly a bot
@@commenter621 Disgusting
Report them to GDPR regulators for their lack of disclosure, they can receive a really hefty fine.
I wonder if that would work. I'm not sure where they're based, but GDPR only applies to services and companies based in the European Union or providing and promoting specifically to citizens in the European Union. As an EU citizen, I for example couldn't sue a global company which operates both in Europe and in the US, if they legally collected my data in accordance with US laws, but illegally in the EU, since they do not advertise their services in the US specifically to EU citizens.
As many people think they're able to know a law by seing a tiny part of it as part of a UA-cam video, i'd like to quote the website of the European Union: "Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR. "
@@mstrmrenMy man, as long as their services are available to citizens in the EU they have to comply. The laws were worded specifically this way to stop companies from doing exactly what you just said
@@mstrmren If you are a European citizen and your data is being stored - within EU or not - it is under GDPR laws. In fact, Google, which is a US company, was recently sued by the French data protection authority.
@@teqnixdk Because they target their services at EU citizens.. They have a french websites, have offices in France, you name it... I could not sue Walmart or Target as an example for mistreating my data if I'm in the US. I am a EU citizen and if I use the services of a company from the US, that doesn't specifically market to Europeans they are not under GDPR law.
@@SheriffJake_ If they market them to EU citizens, yes. But European citizens could for example not file a complaint about Walmart misusing their data as they aren't a European company and do not target their service to Europeans.
You'd be HORRIFIED by the amount of corporations that don't disclose data breaches when they're found. Not just some random companies, corporations worth billions you use on a daily basis
cuz if people found out about it, they would probably stop using it
@@martinkrejci3687 yep
Interesting, I made a user data breach with Clyde 2 days ago and they are shutting him down, he told me things he shouldn't have, you think I can be paid for that 😂 bc a 5 y/o could have done this
@@starseedlightworker6539im really curious, how did you do that?
Once again, the only correct approach to a Discord bot seems to be to make one yourself.
yep
there's a reason I run my own my server and a few others
Yup. I'm the same. Already have one, with a second planned.
not everybody has the tech skills to do this.
@@shirokane0153but everybody has the capability to learn, even the least intelligent people.
@@silitome3086 some people can't get the hang of it always tbh
Just like NFTs, but you’re not actually spending any money“… or going blind”
Love that reference
This reminds me of that time Microsoft had 5 copies of a database full of user support details all accessible from the internet. I believe the exact same browser was used to find this and was kind of worrying (:
What browser?
@@AbstractElement "BinaryEdge"
there's a forbes article titled "Microsoft Security Shocker As 250 Million Customer Records Exposed Online" that goes into more detail about it
thanks for the consistent high-quality and easy-to-follow explanations and stellar editing as always ntts :) we love you
fr
@niceday996YOU SHOULD GET RICKROLLED NOW!!!!
smells like a bot
@@JavierRo_100nah, if you click the pfp it shows other comments and they don’t look bot-like
@@JavierRo_100a bot can't upload yt videos, but this man has.
watching ntts is honestly something i love doing before i start my online school stuff
Another great NTTS video to watch! Thanks for your constant uploads and high quality vids!
bot 😂
@@KrystPl I'm literally not, stupid
@@faddybasilisk09 ur a bot that is coded to have that function to say a response that is called "I'm litreally not stupid" and i bet if ur a bot then reply to this reply
@@KrystPl omfg stfu mg I'm serious stop pinging me
@@faddybasilisk09 you just added a coma (,) to your own reply lol
we love you too, and about the bot thats some huge leaks right there as you know but until today we havent heard any news regarding info being sold publicly so idk maybe we all just got lucky for some reason.This was a wonderful and infomative video and i hope you get more honorable members in your community.
bi now
love watching your videos right after my 8am cs class
holy shit i remmeber that mushroom bot constantly giving me dms about friends playing games and I'm glad I didn't sign up. they deserve it, unwanted dm spam resulted in them getting breached.
but I loved it, and seeing it now dissapear is like hell...
No, Discords platform had a data breach and that's what caused mushroom to have a data breach and several 1,000's of other bots were hit too... At-least mushroom made a public announcement about their data breach. I didn't see any other discord bot making their data breach public...
Geez, mixing Cryptocurrency and Redis is telling us how bad this leak went. Maybe add a password next time...
It's straight-out illegal where I'm from to not inform users about this issue.
as a member of mushroom this is fucking insane and i'm kinda mad about some of this, also 6k emails is like half of the entire server. one last thing mushroom is now getting shut down and now it is literally becoming the new discord and they have been planning this for a while as i talked to a old mod of the server.
Oh stfu "aS a MeMbEr Of MuShRoOm" data breaches are nothing new and at-least mushroom made it public knowledge that it happen. 1,000's of other discord bots all had data breaches as well at the same time as mushroom bot and none of those made it public knowledge. You look really ignorant and seem to be just trolling.
NTTS videos just perfect to be the angel that drive me to sleep while giving me recent silly news about discord 😴💤
e
youre sleeping in 7 minutes? teach me the ways
@@jayyh_01watch something on phone, fall asleep, success
@niceday996istg this here comments section is papa's botteria
your mom gives me updates of her only fans every night, that's how i fall asleep too.
Love it how the mods are in full denial in the discord server and saying NTTS's vid is BS.
Servers and databases by default encourage (sometimes force you) to use passwords. What was this mess of a bot's security
I just spam letters, and often stored deep in a flash drive, in a completely unsuspecting folder. I do that a lot for a lot of stuff.
Exactly, shows they’ve just tried to do things the quick way. Having any database with fully public access alone is worrying let alone with a blank password. They must be using some budget system if their DB allows no password lol
well i guess this video needs to be shared around!
if about 138k server admin who uses it gets to see this video, i doubt it will stay on 138k servers, had they disclosed that on their own, they would only have lost like 25% of them and not 99.99%.
Good video keep up the good work!
yes, finally somebody talking about this!
Yes, finally, someone is talking about data breaches that happen ALL the time and rarely ever are disclosed to the public... Oh wait, mushroom did post a public announcement about it so all can know what happen.
kinda sucks that they don't take security seriously, the idea they got is at least interesting on the surface level. but I aint gonna touch it with a ten foot pole now, thx NTTS.
Oh this is really helpful. I did not know this at all
Hey, about the GDPR Art. 33
I think GDPR Art. 33 only talks about disclosure to the authorities (GDPR, Art. 33(1), sentence 1; that's the one you showed) which, I think, is not required to be public.
GDPR Art. 34 talks about disclosing a data breach to the data subject (in this case the users) but only if "the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons" (GDPR, Art. 34(1)).
Even then it is not required to be public as it can be only disclosed to the affected persons, the disclosure can be public tho if it would involve a "disproportionate effort" to notify the individuals (see GDPR, Art. 34(3) c)).
But I am not a lawyer so don't quote me on that
me daily watching ntts showing the worst discord dramas ever
Hi n5u I subscribe to you
ok
Discord is full of predator
@DjXavier189 your parents don't let you use discord don't they
no
man I joined their discord :/
I met half of my friends there, its unfortunate that this happened tbh
Ntts blurred his discord servers a frame too late 😂
this video is good but now the mushroom is down, its catastrophical... like, exposing is fine but making it go down is a Huge no no TwT
i dont have it in dms tab anymore
did they removed it completely?
i was using it and now POOF gone QwQ
@@KubaTvCHANNEL yeah, it just dissapeared and the website shows a 503 error, and the bot quited my server by itself too qwq
i literally just saw tthat tiktok at the end of ur video last night and i was dying i couldnt breathe i was laughing so hard
Like putting a password on a database server is hard. It's default config on most major database systems, needing to be disabled, one line in a .env file and some code to read that .env into your connector code.
Damm, it happens to be the mushroom, red, and related to machines
I hope Mushroom see this video and make some drastic changes.
A naked man fears no pickpocket.
That naked man is clearly not you because your insecurities are bigger than the mount everest and probably your mother too!
@@FreeRobux712 Dude. You’re spamming insult replies on a comment section for no reason. You’re more insecure than Mushroom. Get a life.
LOVE YOUR VIDS!!
You are legally required to disclose any sort of intrusion. If companies had a choice, we wouldn't even know about the constant breaches of companies like Sony.
a GDPR violation can be fined with up to 20 million Euro or 2% of the company's revenue. depending on which amount is bigger
lmao they basically left all these people's info floating around for everyone 😀
Once again handsome ntts gives us quality content for us lil goobers
So mushroom took notes from the Sony? Well least they didn't store user data in a plain unencrypted text file with cards, socials, and other billing info..
i've been using mushroom for years, I never expected to see this
Maybe you shouldve studied instead of doing so much psilocybin shrooms.
@@FreeRobux712 you clearly are too. You can’t be this much of a loser without doing something. It’s admirable.
You fr help ke concentrate when I’m doing stuff
as a software engineer, i can garantuee this happens all the time.
it is emberassing as fuck, but it does happen.
Just configure the firewall properly...
@@BlueTree242doesn’t change the fact that a lot of people are lazy
@@BlueTree242 You'd be surprised how much of hacking is just putting keywords on Google. This is why large organizations hire people to hack them on purpose, sometimes stuff like this just gets overlooked.
@@Upshotr correct.
or sometimes you just forget it.
Mushroom is still down and two months before this I had no idea this had happened 💀
I knew this bot was way too big to handle for the team behind it, just had that gut feeling months and months ago. Glad I never implemented it into my server.
Imagine not making your own bot (% , yeah it takes bout 2 weeks to get a relatively functional draft going without any bells and whistles, but it's very much worth it.
I can confirm that most people who THINK they can make a bot because they watched a youtube videoes will make the most insecure bots
@@BlueTree242 yeah well no, takes a bit more understanding than some shitty youtube videos, and making them secure isn't some mystic art it just requires understanding some basics, and one has to be truly worthless of a coder in order to actively counter whatever security solutions can be had from the absolute countless libraries out there. The discord bot in this video is a fucking joke with everything basically hardcoded and laughable attempts of obfuscation that anyone who can follow the execution order would immediately spot.
@@streamshorts7833 I am talking about mistakes such as exposing the database server or not setting a password, vulnerabilities are a different thing
Any company that doesn't take information security seriously is not worth engaging with in any capacity.
Love your videos
"it's jut like nfts but you aren't spending actual money. or going blind."
or getting anything to really *keep*.
never knew about this bot and I find him kinda interesting. Does he expose data now?
I was in a Discord server which had the Mushroom bot. It DM’d me and gave me points every time I started gaming, but I eventually left the server for personal reasons. Now that I’ve seen this, I realised I just dodged a bullet (and have probably gotten my data stolen already) 😰
Now we need to wait for that one person that will actually sue them (I would if I could)
>popular discord bot
>you never heard of it and didn't even start to
I dont even know why people make discors bots and sites if they cant even protect their database
No text to speech is like that one reporter that gets turned away by the manager walking away in all those CNN videos
Yooo I’m kinda early!!! U are W UA-camr
"I am old, I am balding and i yell at the Tv". I am a teenager and this describes my life 😭
Please make a video on disboard🙏 their review system is crap now and the only guy doing the reviewing refuses to change anything and lets the staff take the heat for him when they are volunteers
Its probably unrelated but when discord had the # numbers, i received a random dm from someone asking if I was the owner behind the denji ai chatbot he was talking to
I used the name denji#0 in discord when that happened
The bot told the man my username and discriminator
has haveibeenpwned been updated with this breach yet or is there another way to know if I'm affected
Do you have to allow the bot access to personal data by authorizing it or will being in a server with the bot alone allow it access to this information?
You have to allow the bot to access your personal information so if you joined a server with this bot, and you didn't authorize this bot, then you have nothing to worry about
@@trimidsmod6391 thanks man youre the best!
This video literally got the whole platform (mushroom) shut down for good on Nov 30th.
ayo ik you
I don't use discord but it is always funny to see the dumpster fire it is. Keep up making this quality entertainment
As someone who does, can confirm it stinks
I turned off automatic updates for all my apps just because discord ruins it every 2 minutes
Already sent a report to the responsible authority. Lets go
Wow, this was fast.
Oh sh!t i was logged into mushroom ever since a few months before the new logo for it
06:26 why from small bot?
wouldn't small bot just use 1 server with all databases listening on localhost (not connectable from internet) or not listening at all (like sqlite)?
cuz 90% of small bots are made by skids (speaking from experience here)
following a "How to make a Discord bot" is the most skid sh!t ever
how does one not put a password on a database, almost every example configuration for databases have some sort of default password
Mushroom already sucked, and now it got breached
nice video!
thats crazy
Fr bro
fr
it feels nice to have someone giving me kisses and saying me everything is ok I gotcha
this bot started messaging me every week without any input from myself. i think a year ago? it lasted a while but it stopped a long time ago
1:02 You can say SHODAN. I allow you to.
bun is our hero ❤
Ooh, a security breach on my bday
Honestly I don’t even remember why I have mushroom I just ignore it everytime it pings me when I play a game
1:05 oh my god Rhett from GMM
did you explain to the feds what happened with that picture of “cheese pizza”
Chicken nuggets with ketchup
Fr cant agree more
damn and i was close to the higher ups at mushroom, this is sad.
LOL I can guess why they booted you, you wouldn't have any of their sloppiness... 😂
@@erikkonstas i didnt work there i just knew some of the higher ups, but sad to see this happen, eh what ever tho i dont use the platform as it is anyways.
this is why i stopped mushroom from messaging me
I mean, that's not what can harm you (unless you end up clicking scam links).
So their server side testing server was facing the internet? And accessible then That was doorway into DB
mushroom bot kept dm'ing me so i thought it was a scam or something of the like and blocked it...guess that decision 2 years ago saved my ass
I have this bot blocked because it dms me when I play some game for more than 1 hour without I wanting it
DAD WAKE UP NTTS UPLOADED!
Hey NTTS! Lately, I got nitro and I received a lot of dms asking me to give them my Xbox gift. The messages are almost the same but I don’t know if it’s a scam, do you know?
mushroom made somebody say 'bruh' it must be really bad!!!!!
It's like discord and the vast majority of people surrounding it just discovered the internet. The things this platform goes through I have seen years ago already with forums and before that IRC channels and message boards. It's all repeating itself and discord is making the same mistakes over and over again. Nothing was learned. It's a bit sad to see if it wasn't for the fact that I knew this was going the happen the moment this pile of shit landed and seeing their culture in the first year. Wonder how long it is going to go well for before their only option is being bought up completely, gutted and turned into a even more restrictive shell of a platform only to spawn the next startup doing all the same shit again.
Me really not watching the video for the kiss at the end 🤔
now i feel lucky i saw no need to be part of that website, so i just deleted my account
So IDK but a MushMod actually saw this and thinks you have something to do with this or you know someone who does, and he said the company might be suing you
I'd say Mushroom is run by a bunch of kids
well nft without spendng money is way better in my opinion
What browser do you use?
okay, but how do I get Mushroom to quit DMing me with "completed your quest"
Idk even know how I added it. All I know is my friend added me to a server and now Mushroom keeps harrasing me...
block
How do you just FORGET TO PUT A PASSWORD ON YOUR SERVER???? My FREE webhost REQUIRED me to put a password on ANYTHING that could let people upload/access my site data.
i low hot discord gives NTTS so much contenct, everyday he has loads of subjects to talk about LOL
mushroom moment
Damn.
ntts's voice is so hot
Fr