The good news? A recent phishing attempt hit Discord and only ensnared a small batch of users — around 2500 in all. The bad news? There’s no easy tool to tell if you’re on that list, so you might as well take a moment to reset your password on the service right now.
More important, it’s time to stop being lazy and enable two-factor authentication, which will help protect you from phishing attempts going forward.
As Vice reported today, the list of suckered users is small, and even full of smart Discord users who realised they were being phished:
Some of the invalid login details are clearly fake, with emails such as "[email protected]" and the password "fucku", likely from people who are trying to provide the hackers with garbage data.
Unfortunately, there are also legitimate accounts on the list. Even if yours hasn’t been affected — and there’s a good chance you’re in the clear, especially if you haven’t supplied your Discord login and password to any website or service lately — moments such as these are wonderful opportunities to consider your security practices:
- Are you using an easy-to-guess password?
- Are you using the same password on Discord you use for other services?
- Are you using a password manager to store the unique passwords you should be using for each service?
- Have you enabled two-factor authentication?
Changing your password on Discord
To change your Discord password, pull up the website or desktop app and click on the gear icon to the right of your name in the lower-left corner of the screen. Then, click on the Edit button in your “My Account” section:
From there, look for the “Change Password?” link. Click it, type in your current and new password, and click Save to confirm your change.
Adding two-factor authentication to your Discord account
Yes, Discord should email you whenever it detects a login attempt from a new IP address. It’s still a better practice to enable two-factor authentication, as anyone with access to your email — especially if you’ve been using the same password for multiple services — could approve the request.
With 2FA, an attacker would need to physically be able to access your device and authenticator app to log in as you.
Within that very same “My Account” section, look for the bottom Two-Factor Authentication section. Click the “Enable Two-factor Auth” button.
Click it, and you’ll be prompted with the standard QR code you should be used to seeing if you’ve enabled two-factor authentication for your other accounts (which you should do!). Scan it with your favourite authenticator app — we like Authy, but there are plenty of alternatives — and input the code it gives you to confirm it works.
You’ll then be prompted to sign up for SMS Authentication as a backup method, which is less secure than a 2FA app. You’ll also be asked to download your backup codes, which you should absolutely do in case you lose access to the authenticator app and can’t log into Discord anymore.