21 🇵🇭 🇹🇼 bi tme transmasc
i like drawing ocs
18+
it sucks, we're still trying to contact discord and get it fixed. but i wanted to take a second to point out how it happened, because the method they used was a lot more advanced than what i've seen before.
I still feel dumb for nearly falling for a discord scam a while ago where they tried to take over my steam account. I didnt think there was anything wrong until i thought hey wait a second why are they telling me to ignore all of the emails saying my account is being signed into on other devices. the scam only had any credibility in the first place because i had my steam account listed on my discord so they were able to be like "hey is this your account?" So i made them all no longer visible
I see the reasoning behind doing that, but that also takes away an alternate method of contact in case you do get hacked
yeah, we work hard to make sure the people we're close to have our contact information in a variety of places - independent of any sharing features.
our threat model is perhaps more serious than most people's, but we just don't like making those things readily visible.
Tried to see what was in place to help make this more difficult; 2FA is huge, but if you get tricked into one of those discord look-a-like sites, it's still possible to mess up
I just tried to change my Discord email, but it can't be changed without clicking a verification link sent to the email, so as long as that doesn't happen, it's possible to password reset/login, etc...
Of course, if you've run an exe, it's likely your session tokens have been compromised anyway... at which point I think you might be SOL if they hijack your email.
Avoiding process escalation (e.g. don't ever "Run as Admin") might help, especially games, but I'm not actually sure if windows applications running in user mode can still read the memory of other processes or random files...
in my girlfriend's case, 2fa was worse than useless. if discord didn't have it she probably would've been able to get back in much easier. but since they cracked her 2fa (i'm still trying to find out how, honestly) she was completely locked out of the account and discord support had to step in, which took a much longer time than it felt like it should've. (no disrespect to discord support, but man they should probably staff people on the night shift.)
the best step that discord should probably take is to ip lock sessions. the hackers in this case were able to plainly steal her entire cookie, use it to impersonate her, then remove access on her end through the client. if the cookie were tied to her ip, this attack wouldn't be possible.
Taking the session would let you login, but you shouldn't have the root seed for the one-time password, and removing MFA from Discord still requires you to authenticate with either your existing generator or a backup code.
It also won't let you change your email without verifying the email first, and same with your phone number if you have that set.
Root seed sound like TOTP. I was assuming discord let you receive notification to your app as a form of MFA, like google do. My understanding about phone number is that you can intercept a text for about $20. Security is hard :(
Sorry, yeah it does let you go the phone route too; I just have OTP setup so I just said "MFA" assuming OTP and not the text code or app check.
Is there a way to tell friends about my game when I'm done developing it that won't make me look like a bot proffering a virus?
it's tough to say. in general, it's probably more believable:
in the end though, it'll always be a gamble on either side. it sucks! i know how tricky it is to get views on a thing you made. the most important piece is reputability. (which also means you should be sure to lock your account down if you are a gamedev, imagine building that trust up and then getting hacked!)
Honestly I'd contact someone out of band (i.e. on a platform other than discord) if you're planning on sending them an executable letting them know that it's safe to download.
I think this is terrible advice. Executables and links to download them are not somehow more dangerous sent over Discord compared to any other platform, and Discord is very definitely not the only platform to be plagued with phishing attacks. Contacting someone through channels you don't normally talk to them through and telling them to download something is going to be incredibly suspicious to anybody
I mean in addition to discord. If a friend of mine sent me an executable and asked me to run it the first thing I would do is text them or call them elsewhere and have them confirm they sent me a file and intended to run it. The chances that they had multiple accounts breached is lower if they're following good password/2fa practice, so I can be more confident my actual friend who doesn't want to hack my account is sending me the file.
Feel free to follow whatever practices make sense to you.
Well I guess that can makes some sense! But the way you phrased definitely didn't make that clear XP Still, getting an email broken into means, for most people, that their other accounts fall as well, so I don't think it's a foolproof strategy. Doesn't hurt though, and I feel like most attackers wouldn't go through that much effort unless they were targeting you in particular, but you never know!
In this case (and from what I understand many discord account hacks) the victims email wasn't breached, rather their session cookie was captured and used to log into the account, change the email/password, etc.
You're correct if someone's email was breached and they weren't using MFA on other accounts as a protection (or that MFA was configured to send email codes as a backup) then they would be able to breach nearly anything. That's why I'd personally call my friend on the phone like a boomer, because most attackers aren't dedicated enough for an individual target to hijack that.
If you're suggesting the simpler advice of "don't execute files your friends send to you" then I'd agree that's good practice. Assuming you might want to some day, I'd suggest doing more than just trusting the initial message to be secure.
I narrowly avoided getting got by this (or a similar scam) bc I have the disease where I never ever ever follow-up on any of my friend's recommendations, and shortly after the initial convo another friend of mine pointed out how sus it was (she'd gotten the same DM) & I realized it was a scam.
Another awful side-effect is there are probably legit people reaching out for actual testers so the real devs are gonna suffer, whilst the scammers keep going. This just makes me distrust any form of advertising even harder.
Sorry about your girlfriend's account, that really sucks, I hope she can get it back soon.
