If you use the popular chatting platform Discord, in recent months, you may have been duped by a link from someone you thought was a friend.
If you clicked, there’s a decent chance you are still locked out of your account. Because while hackers stepped up their game on the platform, longtime users say the company is not responding in kind to the problem plaguing the site.
Discord has a hacking problem.
The links, coming from already compromised accounts, seem to be innocent. But they are malicious, designed to take over unsuspecting users’ accounts when clicked. It’s a standard phishing attack, but on a platform that prioritizes easy communication, sometimes you click before you think.
Discord started in 2015 as a new chat platform. Now millions of people use Discord as a way to connect with all kinds of communities, from gaming to music to art. Discord, it says, is “where your world hangs out.” But the recent rise in hacks and scams is interrupting the usually chill platform with concerns and frustrations.
Frustrated, hacked users are moving to other platforms like Twitter and Reddit to post their stories. Many of them share the same tale: after their accounts were taken over, there was no way to get back in with their password and email, even if they had two-factor authentication (2FA).
Discord’s support for hacked accounts varies. For some, the process of recovering their accounts took weeks. For Edward, the road to stopping his hacker nearly ended in his old account being deleted.
A college student and programmer in San Diego who used Discord for years, Edward had a special badge called the “Early Bot Developer.” Discord awarded the Early Bot Developer badge to users who created a bot that was in 200+ servers.
Edward’s bot helped users play multiplayer games via Discord and was in over 950 servers.
Being the owner of an Early Bot Developer badge as well as the bot opened Edward up to more hacking attempts than an ordinary account would—he says he’d been messaged at least twenty times by scammers trying to hack in. Unfortunately, the last attempt succeed.
“For me it just lined up so that it seemed just convincing enough that I fell for it,” Edward said.
Edward says these hackers are often able to infiltrate school-associated Discord servers and wreak havoc from one person to the next.
“They’ll especially look for school Discords to try and get all the people in that school and then look at the high-profile accounts that happen to be on that school discord,” Edward said.
Schools are the perfect target for hackers because of the potential they have to reach more and more accounts through users who are close-knit. It works like a branching system, with each account potentially leading to more and more hacked accounts through their friend list.
Edward’s hack came from a friend in a mutual server for school. As a Computer Science major, he says receiving a request from a classmate wanting help testing a game wasn’t out of the ordinary. The innocent-looking link from his friend’s hijacked account cost Edward his.
“When you try to log in, it steals your credentials,” Edward said. “And then it also steals your session so that it can change two-factor authentication so you can’t get back into the account.”
Despite 2FA being strong protection against many efforts to breach accounts, if you let hackers in by clicking their link, they can swap the credentials.
Edward’s priority, after the hack, was to protect others from the potential harm the hacker could do with his bot. Since it was in hundreds of servers, there was potential for the bot to cause chaos, although the hacker ended up not showing any interest in it.
Edward started emailing Discord Support, but found the process repetitive and said didn’t really go anywhere. He received multiple identical emails from the support team, and several times Discord marked his ticket as closed and resolved even though he hadn’t gotten any real response.
Other Discord users whose accounts were hacked shared similar frustrations with Discord Support and how they handle cases. Cib, a Discord user, said after his account was hacked he immediately sent a ticket to Discord. His first email didn’t get a response, but he tried again two days later—this time with a lot more information and emotion.
“Eight days later, they told me my account was disabled, but that I could get it back by trying to log in after resetting my password,” Cib said. “I was all excited until I realized my 2FA was reset by the hacker, so I replied to the email Discord sent me, telling them my issue.”
Ultimately Discord froze the 2FA on Cib’s account and ten days after the hack, he recovered the account. But Discord told Edward something else.
“Since Discord does not collect any personal information to tie to the account, our current policy is that your 2FA codes act as your only form of official verification and proof that you are the owner of the account to disable the 2FA,” Discord Support emailed Edward, and told him to delete the stolen account.
Cib callled Discord’s information to Edward completely false, citing his own situation as proof.
“They say they can’t reset 2FA for an account, which is what they say in their help center, but they clearly can since they, fortunately for me, did it on my account,” Cib said. “They also say it’s the only form of verification they have to prove we are the owner of the account, which is also false—our email seems to be another one, as they used it to prove I was indeed the original owner of my account.”
Most users on social media encountered the same roadblock, unable to get past the 2FA problem. One Redditor posted that he lost $400 from a credit card connected to the Discord account and the hacker had access to sensitive personal and professional information.
The user pointed out the flaws in Discord’s system, all of which add up to a serious vulnerability issue that’s clearly affecting many accounts.
“…no matter how secure your password is, no matter if you have 2FA and a phone linked to your account, it won’t do anything in case your account is compromised in a phishing attack or a virus,” reads one line.
The same 2FA vulnerability prevented the user from getting back into their account for days. The story reflects other threads all over Reddit and Twitter.
Many of the latest hackers seem to be using the same “game-testing” hoax to lure unsuspecting users into the trap,
Eventually, the back-and-forth that Edward experienced with Discord got to the point where he decided it wasn’t even worth getting his old account back. Getting the hacker removed quickly was more important to him than getting the account back.
“There was the risk always in the background that if they knew how to use the bot they could use it to spam thousands of people,” Edward said.
Edward’s account was set to be deleted, but he eventually was able to get it resolved. Discord Support reached back out to him and disabled 2FA so he could get back in his account even though the site told him it couldn’t before.
When contacted by the Daily Dot, Discord did not speak about the hacks, instead pointing to its posts about the “game testing” scam, where it warned users about its prevalence.
“In this situation, a user pretending to be your friend, or using a friend’s compromised account, reaches out asking you to check out their video, test a game they made, or practice running code they wrote,” reads one blog post. “No matter the backstory, they’ll always ask you to download a program or click a link they provide, resulting in a malicious program entering your computer and/or compromising your account.”
Discord offers plenty of information in other blog posts about how to detect scams and stay safe from hack attacks when attacked.
But for many, Discord’s words aren’t the solution they need, especially after hackers are already inside their accounts.
This post has been updated.