UPDATE 12/31/2021: I FINALLY GOT MY ACCOUNT BACK LFGGGGGGGGGGG
I recently fell victim to the "test my game" scam that steals your Discord account token. I'm asking that more people spread the word about the flaw that allowed this to happen on Discord's part.
The major security flaw is there is no verification email being sent to the original email to verify that I want it changed to the new one. The fact that the hacker already changed my password and was able to change the email with only said password as verification has costed me my account. 2 Factor Authentication was bypassed then removed during that process.
When I had just a tiny thread of access to my account, I noticed my email was changed to a Turkish burner email that self-destructs after a short period of time. Why is this possible when burner phone numbers are immediately out of the question?
There's already various threads on the subreddit, the support site, and Twitter bringing attention to this issue but barely received sufficient attention from Discord. Not many people know that it's this easy and the token stealing attacks have been around for years.
A simple verification email most likely would have been enough to prevent the hackers from causing this much damage since we would have the ability to cancel it. PLUS! A quick option to sign out of all sessions and reset the account token could've saved plenty of accounts as well! Instead we're greeted with emails saying it already happened along with a password change before it.
I would appreciate it if people who see this spread the word because this can affect EVERYONE who uses Discord. A flaw this critical should not have been in place for so long.
Videos explaining the scam
SomeOrdinaryGamers - https://www.youtube.com/watch?v=3yb4qj2QmmM
iamLucid - https://www.youtube.com/watch?v=xZLjwxTRM6k