The good old QR trick. A Discord hack explained.
746Please read before commenting. I will update this if needed. (Last edit: Jun 5 2023)
- FAQ: "I clicked the invite, but didn't scan the QR code, or didn't complete the login process by not clicking ok on my phone."
You are fine and won't get hacked. Leave the server and you will be fine.
- FAQ: "Help I scanned the QR code and completed the login what happened and what do I do?"
TL;DR change your passwords, remove authorized apps from settings and unblock all your friends.
- What happened:
By scanning the QR code hackers could log in to your account. They canNOT directly install malware/viruses on your PC or phone, but can look at your account details and send messages pretending to be you. What they did is send all your friends a message with the invite to the scam server, and then blocked all your friends. If you have nitro, they might be able to purchase gifts with your account.
- What to do now:
- - CHANGE YOUR PASSWORD. It is as simple as that. If you change your password, everyone who is logged in will be logged out of your account. This will cause the hackers to lose access to your account. If they keep logging you out, just request an email password reset.
- - Next, Check the authorized apps in your settings, and remove any suspicious apps/bots you see there. (Or just remove everything if you can't pick out a suspicious one.)
- - And last, to prevent this from spreading, unblock all your friends and send them a message explaining it was a scam (maybe link this video too ;) ). After you did that, you should leave the server and continue to use Discord normally, no need to delete your account.
- In the time hackers had access to your account they might have grabbed your contact info like your email address and phone number. They can't hack your e-mail or phone, but they might use it to scam you again by sending phishing messages, so do Google what that is and be prepared.
- If you have bought Nitro or server boosts, they might be able to buy gifts from your account. If this happens, contact discord support. They also have access to the receipts of your purchases. This contains some personal information that could maybe be used to pretend to be you at your bank. Look at the receipts yourself (after having changed your password as explained above) and call your bank.
- Theoretically they could have searched through your message history, but I doubt they would think that that would be worth it. Finding useful messages (account details/passwords you might have shared, stuff they can blackmail you with) is like finding a needle in a haystack and is not worth the cost of the required internet traffic and computational power.
- FAQ: "Does 2FA help here?"
No. QR logins skip the 2FA code. More about this in the hearted comment thread with Jackson.
- FAQ: "Do I need to worry about my linked accounts?"
No. Linked accounts only use information that is public (or public within Discord) anyway, so even if they did get access to the link tokens, they can't really abuse it. The limited capabilities of linked accounts are designed for this.