Improve Change Email Security
There's been an account hacking wave going on recently and I sadly fell to it, I would like to take a moment that would help in making Discord's security at least safer and tighter so hackers not only require your discord info to commit their attempt in stealing the account.
The attack has been mainly around friends, as in accounts on your friend list falling to it and then proceed other friends in other circles. This can be someone you've been talking with a lot, maybe even years.
Anyways, back to what I want to request as a startup to improve security:
The Current State of Changing Your Email Address:
At the current state, this is how Email changing works:
What it asks:
1) A New Email
2) Your current password
Problem:
When your account is breached from whether the case of figuring out your password OR a token (2FA does nothing in this situation), they can change emails and its pretty much over as you cannot change your email back to the original one and pretty much the hacker is now the new owner!
Solution:
An easy solution is to send a confirmation to the original email, this way, the hacker is required to login to the original email for them to complete the account stealing, because of this layer of security the chances of account stealing become slim (unless they are withholding your email's information too), the type of information that can be sent to confirm this type of "Change to a New Email" request can be as follows:
1) Click of a button, verify this is you doing the request.
2) A code that expires in a few minutes, the user must input the received code inside the popped up box to continue their decision of changing their email.
3) If the user has 2FA, the user will also/instead be asked to input their 2FA key to continue the account changing.
After doing one of these, the user will receive a prompt tab showing a tab to change to their new email.
Bonus: Make it so you also have to confirm on the NEW email you added!
Issues:
1) If they know your email's info (email's name and password), they can confirm the request of the change.
Note: Although this is the case, a 2FA would then result to make the breach far more complex as they are required to send a code to even login to the email itself, at least 2FA would be utilized more than just a login function right?
2) If the user forgot their email info (such as the email's password not discord), the user cannot change their email at all if the solution was added which can be problematic in this situation.
I hope to see this feature implemented, at least it will be a start in making Discord secure and safe in the situations of a breach through token grabbing and such, by making it difficult for hackers to do their job and giving more time & security for the original user to change their info before its too late.
Thank you,
-SamiSha
-
Upvoted.
5 -
I can't believe that no confirmation email is obligatory to change the account email address and the password!
9 -
this should've been a thing in discord in general. i'm surprised that it's not given that discord accounts are being hacked left and right and discord support aren't being that helpful towards the affected accounts. make it easier by doing what's in this suggestion to make the accounts safer when it comes to being hacked that way you'll have less reports to deal with since people can easily recover their accounts that way without needing to wait for days / weeks for a reply and investigation goes on for a while and ends up with nothing.
6 -
Yes this is a problem, i think 2fa should be needed for changing an email if enabled, but confirming changing email on the main email wouldnt make so much sense, because of the problem you already provided, but yes if someone cares about their account, they would add 2fa and therefore 2fa should effect changing emails, this is an insane security flaw that i cant believe discord hasnt realise yet
6 -
I want to make sure that no hackers will hack your account (or everyone's account) ever again. I hope that this hacker would pay for what he have done to your account. Anyway I upvoted this too.
3 -
This should've been the case in the first place for Discord Security, but no. It's easy to do and bypass, good job Discord.
And they've had plenty of time to work on their security.5 -
YES PLEASE!!!
It is way to easy for people to completely lock you out of your account from within, since discord won't send an email with a link to revert your email if someone or you changes it from within an account. People who get token logged are honestly screwed since discord rarely responds to emails or even reverts accounts that were token logged. It is pretty sad to have an account for years with hundreds of friends on there and then lose it over some stupid kid on the internet.Plus, the hacker did not even need any sort of 2fa to change my email and this is extremely frustrating because people who get token logged have absolutely no security whatsoever and I hate how more hacks come from token logging then people actually using your password. It's pretty useless having to put in your 2fa codes every single time you log in but if you change your email or password you don't need it.
Bruh a couple days ago I was just talking to my friends on discord and all a sudden I got logged out, my password, email and username were changed in a few seconds and some random person spent hundreds of dollars on my account with my billing information. I can't even take the debit card off of my discord account since they locked me out of my account and discord wont even respond to my emails. It's extremely frustrating when I can't even refund hundreds of dollars spent on my account by some random person and they didn't even need any sort of authorization from me to even do that. I think billing information should be more secure and discord should offer a link to revert email changes from within an account. And perhaps this won't happen to anybody else. And still to this day discord has yet to refund my 100$ spent on a bunch of nitro gifts or even revert my account.Here is what happened when someone token logged me.
5 -
Yes I'm in same boat, I thought it was weird that there was no code needed before hacker changed my email or password.
This post needs to be pinned. User Security should be top priority.
Has anyone been a victim to this and had their issue resolved yet?
4 -
Yes someone was victim to account stealing. And it doesn’t happened once. It’s a severe disregard of safety standards for all internet applications that need a login!
5 -
I'm pretty sure nobody gets any support these days, discord support is an actual joke.
Only time I can ever recall discord staff actually helping me was in 2019 where they responded almost INSTANTLY and helped solve the issue within 24 hours.5 -
I don't understand what went wrong..
2 -
This ladies and gentleman, is a disaster waiting to happen.
I back this post and I hope Discord will too, otherwise it's going to be madness.3 -
Upvoted for my man TRAELMYX
Hope Discord will take action soon0 -
I lost my account of years to a stupid circumstance.. I thought discord would at least attempt the bare minimum of security
1 -
At the very least, when you change your email, your old email address should get some kind of email sent to it.
Something like "Your discord email has changed. Wasn't you? Click here to undo it (and reset your password)"This is something I've seen implemented across a number of sites I use.
It doesn't make it harder to change an account's email, but it does make it easier to recover the account (and ensure that the user fixes their compromised credentials)0 -
Exactly. That alone would've prevented my account being hijacked and I assume sold to some random person after I realized I downloaded malware. It took 2 weeks to get this account back from those hijackers.
I've made that same point in various posts spreading the word about the situation last month. It baffles me greatly how that hasn't been implemented along with other various essentials.1 -
Now on the opposite side, this is how changing email works now:
It asks you to receive a verification code to the old email address before the new email can be added.
Sounds secure? The only problem is that I lost access to the this email address from my university because I have graduated and they removed my access. However, on the screenshot it suggests "Lost access to your email? Get in touch" which I did. Then, they responded, basically saying I should create a new account instead. But if the support cannot help me change the email regardless, then why do they have that prompt in the first place.
I remember the current password, have access to the verified phone number, have 2FA enabled which I also have access as well as the recovery code. If that is still not sufficient to prove I am the owner then I fine with uploading Photo IDs and go through manual review process but that does not seem to be an option either.
1 -
You are now the reason why I can't change my email, thanks for making things worse for me!
0
Please sign in to leave a comment.
Comments
18 comments