- 2500 Discord users were exposed by hackers who obtained and then published their user credentials.
- The credentials are valid, and the exposed email addresses are in active use, as confirmed by Discord.
- Users and server admins are urged to enable 2FA immediately, as it’s the only measure of protection against this type of attack.
According to a freshly published Vice piece, hackers have published a small set containing about 2500 valid login credentials that belong to Discord users. Discord is a popular freeware VoIP application that is appreciated by the gaming community due to its lightness, messaging, audio, and video communication features, and the fact that it can run on any OS, including Windows, macOS, Linux, iOS, and Android, or even right from a browser tab. Reportedly, the hackers utilized Discord’s API to hijack accounts that belonged to users who have not set up the two-factor authentication step.
The hackers have even split the exposed datasets into a category of credentials that work, and another one that doesn’t. Vice has confirmed that many of these accounts belong to actual Discord users, as they received an ‘already taken’ message when they tried to create new accounts with the exposed email addresses. Discord has not responded to this yet, and while they should have already reset the credentials of the exposed accounts, they have done nothing until the time of writing this article.
In general, Discord hasn’t been the best place for those who value political correctness and anti-disruption protections. While Discord is loved by gamers and counts over 130 million of registered users overall, it has repeatedly failed to deal with far-right hate speech groups, child pornography, revenge porn, lolicon artwork, and more. While moderation policies are different from security policies, a lax approach on one sector often indicates a general lack of firm management and control. Moreover, the fact that Discord isn’t used solely by gamers is adding another possible value to the revelations.
To be fair, one thing that Discord does right is promoting the setting up of the two-factor authentication protection, which is optional right now. If you want to enable it, click on the settings cog icon in the app, go to “My Account” and click on the “Enable Two-Factor Auth” button. The verification of your phone number will then take place either by entering the provided key or by scanning a barcode, and you’re all set up. If you’re a Discord server admin, the inclusion of 2FA should be a no-brainer really. Remember, recently we covered news about credential stealers that support Discord, so beware.