There's been an account hacking wave going on recently and I sadly fell to it, I would like to take a moment that would help in making Discord's security at least safer and tighter so hackers not only require your discord info to commit their attempt in stealing the account.
The attack has been mainly around friends, as in accounts on your friend list falling to it and then proceed other friends in other circles. This can be someone you've been talking with a lot, maybe even years.
Anyways, back to what I want to request as a startup to improve security:
The Current State of Changing Your Email Address:
At the current state, this is how Email changing works:
What it asks:
1) A New Email
2) Your current password
When your account is breached from whether the case of figuring out your password OR a token (2FA does nothing in this situation), they can change emails and its pretty much over as you cannot change your email back to the original one and pretty much the hacker is now the new owner!
An easy solution is to send a confirmation to the original email, this way, the hacker is required to login to the original email for them to complete the account stealing, because of this layer of security the chances of account stealing become slim (unless they are withholding your email's information too), the type of information that can be sent to confirm this type of "Change to a New Email" request can be as follows:
1) Click of a button, verify this is you doing the request.
2) A code that expires in a few minutes, the user must input the received code inside the popped up box to continue their decision of changing their email.
3) If the user has 2FA, the user will also/instead be asked to input their 2FA key to continue the account changing.
After doing one of these, the user will receive a prompt tab showing a tab to change to their new email.
Bonus: Make it so you also have to confirm on the NEW email you added!
1) If they know your email's info (email's name and password), they can confirm the request of the change.
Note: Although this is the case, a 2FA would then result to make the breach far more complex as they are required to send a code to even login to the email itself, at least 2FA would be utilized more than just a login function right?
2) If the user forgot their email info (such as the email's password not discord), the user cannot change their email at all if the solution was added which can be problematic in this situation.
I hope to see this feature implemented, at least it will be a start in making Discord secure and safe in the situations of a breach through token grabbing and such, by making it difficult for hackers to do their job and giving more time & security for the original user to change their info before its too late.
Please sign in to leave a comment.