Security
Headlines
HeadlinesLatestCVEs

Headline

New Discord username policy raises user privacy fears

Categories: News Tags: Discord

Tags: privacy

Tags: username

Tags: discriminator

Tags: DM

Tags: bot

Tags: chat

Tags: change

Tags: changing

Tags: server

Tags: hijack phish

Tags: private

We take a look at the reaction to Discord’s proposed changes to how usernames work, and why many users aren’t happy with the upcoming alterations.

(Read more…)

The post New Discord username policy raises user privacy fears appeared first on Malwarebytes Labs.

Malwarebytes
#web#git#auth

Discord, the Voice over IP (VoIP) and instant message communications tool, is changing how usernames function in a major way soon. Many users are not keen on this change at all.

What is going on over there, and why are so many people concerned about the upcoming alterations?

When Discord launched back in 2017, the developers didn’t want you to try and sign up only to be told “Username taken”. They wanted you to jump straight into the chatroom-based action. When people started wanting to talk to their friends located in other servers (essentially, another chat room) Discord introduced a friend system and a number system called “discriminators”.

This is just another way of saying “We put a four digit number at the end of your username”. If you wanted to be Steve, into the chat you’d go as Steve#3857. If another Steve signed up, they’d be Steve#3858. And so on. A drawback of this system is that if 9,999 Steves already exist, then we’re all out of Steves because this is the maximum number you can have of one particular username.

It remained like this for about 8 years, and now we’re at the point where everything is changing. Very soon, Discord will ask you to amend your username to something more specific. All of our Steves will fight to the death in order to become the one true Steve, shorn of numbers forever. If you miss out on landing the Steve handle, sorry: you’re probably going to be St3ve from now on.

This isn’t so bad, you may think. However, a lot of privacy related issues are bubbling up to the surface. Users of Discord quite enjoy the level of anonymity afforded by the numbers system. It’s a bit like having a giant online user directory, but one where the user is in full control of how that information leads back to them in the majority of situations.

With the numbers system in place, it’s as good as impossible for someone to track you down specifically inside of Discord. Where would you start? The answer, of course, is likely “From Steve#0001 all the way up to #9999". Nobody is going to do this, and so users are afforded some degree of privacy as a result.

This is not to say using Discord keeps you 100% anonymous. Even so, someone usually has to tie a profile to something external and identifiable to run into trouble.

The new system means people have to make a choice. Secure a username that unambiguously ties to your online presence for as long as you use the service, or run the risk of impersonators grabbing your desired identifier.

yo this sucks actually?

people not being able to add me on discord without me telling them the discriminator was a feature not a bug

so now i either get to allow impersonators, or pick a random unguessable name and have to override it constantly

truly incredible work 👍 https://t.co/SoTMZZxGNe

— christina 死神 (@chhopsky) May 3, 2023

Worse still, the way this is going to happen is that name availability will be done on a first come, first served basis with people who’ve been on the platform longer getting first choice. Lots of early adopters of the platform will no doubt have amassed many alternate accounts down the years. This not only gives them a distinct advantage in the “name yourself first” stakes, it also provides an opportunity for trolling or security threats. It would theoretically be straightforward to use an army of dormant accounts to “squat” usernames of famous people or business entities. From there, those accounts could be used for phishing or other scams. This isn’t a far-flung theory; you can read folks already raising this issue and thinking about the potential ramifications of Discord’s intended plan.

There are some additional wrinkles added to the new scheme. Users will be able to have a “non-unique display name” which is how your name will appear to other users. Users of social media will already be familiar with this approach. For example, your Twitter URL (here the equivalent of a Discord username) may be twitter(dot)com/Steve, but your display name might say Steven LotsOfNumbers.

The default for this display name when the changes kick in will be whatever your original Discord username happened to be. So, for a while, #Steve0001 will live on.

The sheer generic aspect of user accounts also helped relieve anxiety over phishing and compromise to some degree. Lost your account to a scammer? Assuming you haven’t spent a small fortune on premium features tied to your account, no big deal. Spin up a new one and #Steve0002 rides again.

Now that usernames will be very specific and tied to individuals, it’s not hard to imagine scammers increasing returns on stolen accounts. Streamers and other visible people in gaming circles lose their accounts all the time. What happens when Steven the Streamer, with three million YouTube subscribers, loses his account due to phishing?

Blackmail and potentially juicy returns for fraudsters, that’s what.

Discord has long been a home for entirely (and semi) anonymous folks to hang out in a stress free environment. It’s long since stopped being a hang out spot for gamers only. TV shows, films, products, and more may have a dedicated Discord space. I, myself, have used it for tech support from PC hardware suppliers.

In fact, it’s now so popular that it’s slowly tipping into the realm of _un_popular where some user collectives are concerned. Old school forums, filled with search engine indexed solutions to obscure problems are being replaced by Discord, which cannot be indexed. Increasingly, more things are ending up in Discord which should be available elsewhere too. Video game mods, patch updates notes, and more are all drifting toward Discord. This is because it’s simple and easy to set up, and you don’t have to worry about maintaining a website or forum while chasing after security updates.

This tendency toward making information which would be better served existing outside of a chat room has been frustrating folks for a while now. Adding a username controversy on top of this may put some users off for good.

Tips for keeping your Discord account safe and private

If you’re a Discord user, here are some of the ways you can keep your account safe from scammers and other slices of fraud:

  • Beware Nitro offers. Nitro is a paid service which adds more features to Discord. “Free Nitro” messages in Discord channels from Bots, other users, and non Discord websites should be treated with caution. Check the official page for genuine offers.
  • Non-Discord theft: Scammers will target gamers with phishing links targeting gaming platforms such as Steam. As before, check official sites for word of special offers.
  • Don’t join the spam chain conga line: Bots are common in Discord channels, often there to help with admin tasks. Rogue bots will send direct messages and ask you to spam on its behalf, or invite you to a channel so it can send spam there. Don’t fall for it!
  • Compromised server peril: If the admin is hijacked, any message sent in public or privately could be risky. Server admins should enable two-factor authentication on their accounts to minimise the risk.
  • Privacy settings: Current name policy changes aside, Discord offers several useful features including direct message filtering, explicit image filters, automatic spam filters, and granular control over who can add you as a friend.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Malwarebytes: Latest News

122 million people’s business contact info leaked by data broker