[Feature Suggestion] Add 2FA for all changes

Donchan

• November 15, 2021 19:52

For whatever reason, this option is only enabled for changing passwords on mobile. I doubt people that are hacking accounts will be doing this on mobile when they could just do it on desktop.

Token-grabbers are easily abusing this - they bypass 2FA, get into your account on desktop, and then change everything on your account with knowledge of your password. Everything literally needs only your password to change settings - your username, your email address, your phone number, and even your password.

You can even remove 2FA with just your password and without 2FA - literally view your backup codes with your stolen password, then remove 2FA using those codes.

In the past hour, someone has reported that their account has been hacked through the above method - the former account owner had opened an .exe file which grabbed their token and allowed another user to gain access to their account, changing all of their details and disabling 2FA. Discord has continued to ignore the account owner, even with their status as a Partner.

Not sure why Discord has been trying to work on NFT integration when this glaring security problem has been around for a few months now. Surely Discord's customers should come first?

This is a massive blatant security issue that needs to be solved ASAP.

4

• 

  purin

  • December 23, 2021 04:26

  It's scary that this issue hasn't received any attention. Simply adding 2FA to password and email changes would greatly limit the damage caused by token-grabbers.

  0

Please sign in to leave a comment.