The anatomy of a discord hack: tips for protecting your accounts from social engineering attacks

Discord accounts being hacked is a hot topic every few months, as a new scam surfaces and people warn each other via network. We’ve all been DMed by scammers saying they accidentally reported your Steam account, or the new one I’ve heard is a hacker will post a message with a link to (read more), but the link is to hijacking malware. You can learn your Discord hack lesson the easy way, by listening to the cautionary tales, or the hard way.

I learned it the hard way.

This is my cautionary tale.

Here is what happened when my account was hacked via social engineering, and the fallout rippled through much of my digital life. However, I put several tech safeguards in place to keep everything safe. Some things worked — others didn’t.

The Social Engineering Exploit

All the security technology in the world won’t protect you if you invite the invader in.

I woke up one Sunday morning to a message from a friend. I’ve known this particular friend in person for over twenty years. They’re a developer who I know from the local gaming circles. They messaged me asking them to help test a co-op platformer a friend of their was developing. They know that I write about games and participate in games testing, and I’ve play tested tabletop games with or for them previously. It wasn’t an unreasonable or strange request for them to send my way.

My initial response was that I am genuinely terrible at platformers and I don’t want to spend my Sunday morning being bad at something, but I liked this friend and didn’t want to let them down. So I decided to suck it up and give them a hand.

This is the essence of a social engineering exploit — they use your desire to be helpful against you. The person doing the exploiting pretends to be someone they’re not, whether they’re pretending to be your friend, Steam support, or your bank needing to verify your credit card information.

It was so close to not working. I’d set up my voice comms and nearly called my friend before proceeding, but decided to take a few minutes to drink my coffee while getting sorted instead. I responded to the message and my “friend” sent me a link to a website. I had a look around the website and it looked like many of the indie games development websites I’ve looked at. There was marketing material, a gameplay video, FAQs, a feature roadmap, and a link to participate in the beta. I went to download the beta and it asked me for a license code. I asked my “friend” about that and they sent me a testing code.

Then, the Technology Exploit 

I downloaded the “game installer” exe and ran it. This was the trojan horse, and it immediately started to scan my computer for a number of specific things.

The first thing it did was look through my open browser windows — we were joking on the BlizzardWatch Discord server recently about our emotional support browser tabs — and found an open Google doc. From there it was able to access my email account settings and blocked the [email protected] email address.

The second thing it did was change the email address associated with my Discord account. This triggered an automatic email from Discord, but because of the blocked address, I couldn’t see the message.

The third thing they did was change the password and add a new 2FA to the linked Discord support address.

All of this took seconds. It was all automated.

What I saw from my point of view was suddenly all my devices showed Discord getting kicked out and a log-in screen. My email started popping up verification messages. I got a notification popup that a Discord recovery code had been used.

I work in IT, so I’m aware of the basic security precautions to take. I had 2FA tokens on both my Discord and Google accounts — but because it was accessing those accounts from a device that was already logged in, they could ignore those protections entirely. For Discord, the recovery codes to bypass the 2FA token are accessible from within the application if you are logged in, giving them access to those codes.

Recovery Procedure — which security measures worked and which didn’t

As soon as I worked out what was going on, I powered off the infected computer. I have the privilege of having an entirely separate computer I use for gaming and a daily use computer which is a Mac. The Mac means a different operating system, one less vulnerable to exploits purely because of its smaller marketshare.

While my email was sitting on a Google server, it was actually a private domain, with my husband as the administrator. We had control of the email account again within minutes. I changed the password and moved the 2FA from the Google Authenticator I had been using to one built into my password vault. Because my husband is the admin of the domain, we were able to review the activity logs later and see what had been done.

I called my friend directly by phone, and they confirmed they had been hacked earlier the same morning using essentially the same social engineering exploit.

I then started trying to recover the Discord account. This is where we hit a roadblock.

According to Discord’s support page, your two options are:

• Click on the link in the automated email that is generated when the email address is changed. The token in that email is valid for 48 hours. Because the hacker had blocked that address, I couldn’t see the email. Either they or I had emptied the mailbox in the time between when the message was blocked and when we found out it had been blocked. The message is no longer there.
• The other option is to lodge a request from the Discord Support account linked to the original email address. You know, the email address the hacker secured for themselves, changing the password and attaching a new 2FA? That email address.

I currently have three open tickets with Discord L2 support to:

• Remove to 2FA from the original support account.
• Restore ownership of the compromised account.
• Refund or transfer the 10 months remaining balance on the annual Nitro paid account.

I haven’t heard anything from Discord since those tickets were escalated 2 weeks ago.

Collateral Damage

The hacker still has control of my original account and is using it to try and hack my friends and other people on servers I was a member of. I know of two confirmed incidents of other people being hacked as a result.

I was an administrator on a couple of WoW-related Discord servers, and I reached out to the administrators by other avenues as quickly as I could. One removed me within minutes. The other didn’t get my message for several hours, in which time the hacker had vandalized the server pretty badly. It took them about 5 hours to restore the deleted channels, but the content was lost.

I am a guild leader and ‘owned’ our guild server. The hacker left it alone for a week, so we thought they wouldn’t hit it. Then around midnight on the following Saturday night local time, they started kicking the officers and anyone who was online. Any time someone posts there they get kicked from the server. 

I have ended up having to set up an entirely new guild server, and we are trying to move everyone across to the new server. Our guild has been around since Vanilla, and the Discord server was nearly 10 years old. We have members who drop by occasionally, but we’re not in frequent contact with them, so we may not easily be able to notify them of the move.

That doesn’t even account for nearly a decade of direct messages between friends and family that were on the account — which included personal messages that could be used for other social engineering exploits in the future.

Two weeks in and I have no indication of when — or whether — I will recover the account, but at this point the original account is functionally useless. It will be blocked in so many places, and is untrustworthy. The only reason I want it back is to deny the hacker the use of it, and to allow me to transfer the paid service features. Two weeks is too long to respond to this type of incident, and it being an account with paid up Discord Nitro offered no additional protection.

Mistakes were made — but it could have been worse

As bad as the damage was, it was limited because the compromised computer was only used for gaming. None of my sensitive accounts like banking, healthcare, etc get logged into on the gaming PC. I powered it off as soon as I knew what was going on to limit their access.

Having a paid Google account with admin access meant we could quickly recover that account, further limiting their access.

I already had a second Discord account set up for testing, so I was able to log a ticket with Discord using that account.

I was able to find contact details and message the admins of most of the major servers where I was a moderator to have my access limited relatively quickly. Some I contacted with their email addresses, some I messaged via Patreon. I reached out as quickly as possible to keep the damage to the minimum.

Something I have become more aware of since the hack is how many services and website I use that I’ve used a “log in using Google” or “log in using Discord” option. I do try to use a direct login with a username and password, but sometimes I just use Google because it’s easy.

IT security is always a tightrope walk with how much inconvenience will users accept to stay safe. The answer is, not very much. People will almost always take the easier option when given two choices, even if the easier option is obviously less secure.

How I’m protecting myself for the future: tips to consider

Going forward I have made the following changes:

• The most obvious one is verify through another channel before installing anything someone on Discord asks me to install. Speak to someone in voice chat or in person to confirm before running an installer — if you wouldn’t recognize their voice you probably shouldn’t be installing things at their request. If they’re asking me to install anything, I wouldn’t even click a link to a website they provide.
• Try to avoid using a mail service like Gmail that is connected to ALL THE THINGS, but especially as the user name for other significant services. We ultimately chose to use ProtonMail for several reasons. It uses a fully encrypted mail client that is self contained, it is based out of Europe, and does not have ties to any of the big tech FAANG companies so isn’t integrated to any of those services. This means something like an open Google Doc in an emotional support tab can’t be used as a backdoor to access the settings of my new email.
• Have a MFA already set up on the support account for any Discord account I have.
• When setting up the new Guild server, I used a unique Discord account set up with its own email address, used only for ‘owning’ this server. I have then set up an administrator account one privilege level below that for my new daily use account. The ‘owner’ account will only be used as a ‘break glass’ account if I need to recover the server in the future.
• For the new Discord accounts, I have stored the recovery codes in a secure note in my password vault. My password vault is emphatically not a Google service.
• Avoid using any “log in using …” account types if at all possible.
• I will be much more circumspect about the number of browser tabs I leave open and try not to leave Google Apps in particular open in my browser.

I am trying to pick up the pieces of my digital life — including apologizing to all the people who have been impacted by me being momentarily careless. I haven’t posted this to get sympathy, but in the hope that you will learn from my mistakes.