Discord Security

Discord is crawling with people and bots looking to gain control of your account or send you to deceptive websites. Familiarize yourself with these patterns for safe use of the platform.

1. Change your password immediately if you think you've fallen for a scam.

This invalidates your existing session token and signs you out everywhere.

2. Be suspicious of outgoing links.

Links might not go where you think they go. Markdown allows the text representation of a link to be different than its actual target - so check before you click.

Even URLs with trusted domains can include bookmarklet-style Javascript that permits injection, so a site you think you trust might ask for your credentials or ask you to enter a token from the browser dev console.

3. Be suspicious of downloads, even from people you know.

Be especially wary of executables, scripts, and vulnerable file types like PDFs, and remember that you don't know who's at the other end of an account. If in doubt, don't download it.

4. Discord 2FA is not foolproof.

If an attacker executes code on your machine to steal your token, they can change your password, turn off 2FA, and re-enable it, locking you out entirely. (Nonetheless, you should have 2FA enabled to protect yourself from phishing and leaked credentials.)

5. Don't tell anyone your account details.

Specifically, never scan a QR code with the app when asked by someone else, never give out your password, and never copy anything from the browser developer console to send to someone who's asking.

6. Don't run console commands or add bookmarklets.

Don't run any commands in your browser dev console or add browser bookmarks when prompted by a contact or a website. Only bad actors will ever ask you to do so.