indeed fear-mongering so I don't know why people downvote you
There is no magical tool for bypassing account credentials, I frequent these hacking forums and I've hacked accounts myself (not specifically for this game).
These "hackers" are using a bot which makes thousands of login attempts of credentials found in db leaks of other websites. You can check haveibeenpwned to determine whether your account can be hacked easily. The bot also checks the error from incorrect login to determine if user/email exists, and sends to another bot which does a dictionary attack on those (this is a dumb security flaw on mihoyo's end), this includes accounts where user/email was correct from db leak but the pass wasn't (so even if you are using a different pass than you normally would, you should make sure it's complex)
Credentials that result in successful login are added to a list, including user/email/pass/id and whether the account has phone/email.
There's another bot which takes this list (also checks a public list on a specific hack forum) and for accounts with no email/phone attached a temp email is added to it and pass is changed. For accounts with email but no phone, the bot does api request which links a virtual phone number without any confirmation required (another dumb security flaw) which makes it possible to confirm unlinking of email via phone instead of email. For accounts that do have both phone/email, they can't get access to it but some hackers are posting these on a private topic for attempting to access the email (so make sure you're using a secure email provider like gmail and you have 2fa on)
If you have phone and email attached and your credentials are not in a db leak, they can't steal your account.
Feedback for Mihoyo:
Strict rate limit. on api requests
Strict scope for api requests (forbid account endpoint without recaptcha)
Apply rate limit. to all login attempts from IP (even when account doesn't exist or when new email is typed)
Apply rate limit. to all specific account login attempts across any IP's
Remove identifiable info from errored results
Require email (or via connected account)
Remove username login (seriously, you removed username reg, remove the login too)
Remove character limit. on pass and require strong pass
Require email confirmation on email change and remove unlink email option
Require email confirmation when linked phone is changed/unlinked
Notify by email when attempt to login has been made from unknown device
Require 2fa confirmation when logging in from unknown device
Remove the welcome message when loading the game, even if censored the string can be used in a regex search in db leaks, this can be used to target the accounts of high profile streamers.
Majority of these things are a set standard for security that many companies implement, it's sad that Mihoyo with their $100mil+ profit can't afford a competent webdev team.
해커가 과거에 유출된적 있는 사이트의 아이디와 비밀번호를 이용해 미호요 사이트에 접속해서 이메일 연동을 해지하고 계정스틸하는 사례가 있다고 합니다
예: firstname.lastname@example.org라는 네이버 계정을 쓰고 있고 암호는 zxcv7890쓰는데 원신 계정도 네이버로 연동했고 암호도 똑같은 zxcv7890 쓴다는 경우
걱정되시는분들은 여태까지 어떤 사이트에서도 안써본 복잡한 비밀번호로 변경하세요(그렇다고 너무 복잡하게 쓰다가 로그인 못하는 경우는 만들지마시고)