Improve Change Email Security



  • DrLogan


  • Ironymus

    I can't believe that no confirmation email is obligatory to change the account email address and the password!

  • Catherina

    this should've been a thing in discord in general. i'm surprised that it's not given that discord accounts are being hacked left and right and discord support aren't being that helpful towards the affected accounts. make it easier by doing what's in this suggestion to make the accounts safer when it comes to being hacked that way you'll have less reports to deal with since people can easily recover their accounts that way without needing to wait for days / weeks for a reply and investigation goes on for a while and ends up with nothing.

  • Sp00ky HvRPvK

    Yes this is a problem, i think 2fa should be needed for changing an email if enabled, but confirming changing email on the main email wouldnt make so much sense, because of the problem you already provided, but yes if someone cares about their account, they would add 2fa and therefore 2fa should effect changing emails, this is an insane security flaw that i cant believe discord hasnt realise yet

  • TheShelbySarah

    I want to make sure that no hackers will hack your account (or everyone's account) ever again. I hope that this hacker would pay for what he have done to your account. Anyway I upvoted this too.

  • chfern

    This should've been the case in the first place for Discord Security, but no. It's easy to do and bypass, good job Discord.

    And they've had plenty of time to work on their security.

  • checks

    YES PLEASE!!! 

    It is way to easy for people to completely lock you out of your account from within, since discord won't send an email with a link to revert your email if someone or you changes it from within an account. People who get token logged are honestly screwed since discord rarely responds to emails or even reverts accounts that were token logged. It is pretty sad to have an account for years with hundreds of friends on there and then lose it over some stupid kid on the internet.

    Plus, the hacker did not even need any sort of 2fa to change my email and this is extremely frustrating because people who get token logged have absolutely no security whatsoever and I hate how more hacks come from token logging then people actually using your password. It's pretty useless having to put in your 2fa codes every single time you log in but if you change your email or password you don't need it.

    Bruh a couple days ago I was just talking to my friends on discord and all a sudden I got logged out, my password, email and username were changed in a few seconds and some random person spent hundreds of dollars on my account with my billing information. I can't even take the debit card off of my discord account since they locked me out of my account and discord wont even respond to my emails. It's extremely frustrating when I can't even refund hundreds of dollars spent on my account by some random person and they didn't even need any sort of authorization from me to even do that. I think billing information should be more secure and discord should offer a link to revert email changes from within an account. And perhaps this won't happen to anybody else. And still to this day discord has yet to refund my 100$ spent on a bunch of nitro gifts or even revert my account. 

    Here is what happened when someone token logged me.

  • AceOperation

    Yes I'm in same boat,  I thought it was weird that there was no code needed before hacker changed my email or password.

    This post needs to be pinned. User Security should be top priority.

    Has anyone been a victim to this and had their issue resolved yet? 

  • Ironymus

    Yes someone was victim to account stealing. And it doesn’t happened once. It’s a severe disregard of safety standards for all internet applications that need a login!

  • checks

    I'm pretty sure nobody gets any support these days, discord support is an actual joke.
    Only time I can ever recall discord staff actually helping me was in 2019 where they responded almost INSTANTLY and helped solve the issue within 24 hours.

  • checks

    I don't understand what went wrong.. 

  • Athena was here

    This ladies and gentleman, is a disaster waiting to happen.

    I back this post and I hope Discord will too, otherwise it's going to be madness.

  • charizard8888

    Upvoted for my man TRAELMYX
    Hope Discord will take action soon

  • TabbotPhi

    I lost my account of years to a stupid circumstance.. I thought discord would at least attempt the bare minimum of security

  • Badger

    At the very least, when you change your email, your old email address should get some kind of email sent to it.
    Something like "Your discord email has changed. Wasn't you? Click here to undo it (and reset your password)"

    This is something I've seen implemented across a number of sites I use.
    It doesn't make it harder to change an account's email, but it does make it easier to recover the account (and ensure that the user fixes their compromised credentials)

  • CaikSlyce

    Exactly. That alone would've prevented my account being hijacked and I assume sold to some random person after I realized I downloaded malware. It took 2 weeks to get this account back from those hijackers.
    I've made that same point in various posts spreading the word about the situation last month. It baffles me greatly how that hasn't been implemented along with other various essentials.

  • popoway

    Now on the opposite side, this is how changing email works now:

    It asks you to receive a verification code to the old email address before the new email can be added.

    Sounds secure? The only problem is that I lost access to the this email address from my university because I have graduated and they removed my access. However, on the screenshot it suggests "Lost access to your email? Get in touch" which I did. Then, they responded, basically saying I should create a new account instead. But if the support cannot help me change the email regardless, then why do they have that prompt in the first place.

    I remember the current password, have access to the verified phone number, have 2FA enabled which I also have access as well as the recovery code. If that is still not sufficient to prove I am the owner then I fine with uploading Photo IDs and go through manual review process but that does not seem to be an option either.

  • VoinTsynk

    You are now the reason why I can't change my email, thanks for making things worse for me! 


Please sign in to leave a comment.