00:00
00:00
SlyceCaik
she/they - multimedia artist
https://linktr.ee/slycecaik
Kae @SlyceCaik

Age 23

art + music

U.S.

Joined on 10/10/16

Level:
11
Exp Points:
1,125 / 1,350
Exp Rank:
58,316
Vote Power:
5.28 votes
Audio Scouts
1
Rank:
Civilian
Global Rank:
> 100,000
Blams:
0
Saves:
1
B/P Bonus:
0%
Whistle:
Normal
Medals:
17

I NEED YOUR HELP, DISCORD HAS A MAJOR SECURITY FLAW

Posted by SlyceCaik - December 15th, 2021

UPDATE 12/31/2021: I FINALLY GOT MY ACCOUNT BACK LFGGGGGGGGGGG


I recently fell victim to the "test my game" scam that steals your Discord account token. I'm asking that more people spread the word about the flaw that allowed this to happen on Discord's part.


The major security flaw is there is no verification email being sent to the original email to verify that I want it changed to the new one. The fact that the hacker already changed my password and was able to change the email with only said password as verification has costed me my account. 2 Factor Authentication was bypassed then removed during that process.


When I had just a tiny thread of access to my account, I noticed my email was changed to a Turkish burner email that self-destructs after a short period of time. Why is this possible when burner phone numbers are immediately out of the question?


There's already various threads on the subreddit, the support site, and Twitter bringing attention to this issue but barely received sufficient attention from Discord. Not many people know that it's this easy and the token stealing attacks have been around for years.


A simple verification email most likely would have been enough to prevent the hackers from causing this much damage since we would have the ability to cancel it. PLUS! A quick option to sign out of all sessions and reset the account token could've saved plenty of accounts as well! Instead we're greeted with emails saying it already happened along with a password change before it.


I would appreciate it if people who see this spread the word because this can affect EVERYONE who uses Discord. A flaw this critical should not have been in place for so long.


Subreddit posts

https://www.reddit.com/r/discordapp/comments/quz3wt/chronicling_my_discord_support_experience/

https://www.reddit.com/r/discordapp/comments/rg0o49/psa_if_you_get_a_dm_asking_you_to_test_a_game/

https://www.reddit.com/r/discordapp/comments/qldvpa/story_discord_has_the_poorest_account_security/?utm_medium=android_app&utm_source=share


Support posts

https://support.discord.com/hc/en-us/community/posts/4409387369111-Improve-Change-Email-Security

https://support.discord.com/hc/en-us/community/posts/4413680470935-A-Proposal-to-Improve-2FA-Security-Fixing-a-Critical-Account-Security-Flaw


Videos explaining the scam

SomeOrdinaryGamers - https://www.youtube.com/watch?v=3yb4qj2QmmM

iamLucid - https://www.youtube.com/watch?v=xZLjwxTRM6k

Tags:
19

Comments

Log in to Comment

MchectorII

That’s terrible and yes,I’ll do what I can to spread this word around.Thanks for the information!

Yomuchan

I'll spread this around. Thanks!

pikachu000000000

would u like to test my game

ampdesigns

yeah there's issues with discord that and streaming gameplay

Stepford

I had this happen to me. They pretended to be me and used my most common emojis. It was so fucking creepy.

DaemonPlus

Use IRC and E-mail. Not closed, electron-based honeypots run by people who don't understand or care about basic infosec.

TomatoSus

This happened to me not too long ago back in October. It is possible to get your account back if you contact discord support. However it will take a while and mine took a little over 2 weeks to get back. During that time it stole money from my Dad's paypal and used it on nitro. So if you have your paypal or some payment method hooked to your account, try and get it off of there immediately. The creepiest part during all was that one of my friends was hacked by it and the hacker talked through her account mimicking how she spoke along with the emotes she uses. When I got hacked by it, it did the same for me

HAL0GUY

@Stepford Damn did you ever fix it?

HAL0GUY

Man I am always nervous about anything happening on my discord account

Main Sections

Extra, Extra!

Community

NG Related

©Copyright 1995-2024 Newgrounds, Inc. All rights reserved. Privacy Policy | Terms of Use