Earlier this week a group of hackers published a list of email addresses and passwords they say they phished from users of gaming chat platform Discord.
The list is small, totalling in at only around 2,500 logins, but the news still acts as a reminder that Discord users need to remain vigilant for phishing.
"This was no virus, worm or malware of any sort—it was simple old phishing site that utilized Discord's own moronic API to hijack these accounts," the hackers wrote in a message on their website.
Do you know about a data breach? We'd love to hear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
Along with their message, the hackers posted a database of the allegedly phished credentials, split into multiple sections of those that work and those that don't. Some of the invalid login details are clearly fake, with emails such as "email@example.com" and the password "fucku," likely from people who are trying to provide the hackers with garbage data.
Some of the around 2,500 allegedly valid logins do appear genuine. Motherboard took a random selection of email addresses from that section of the dump, and tried to create new Discord accounts with them. In the vast majority of cases, this was not possible because the email address was already linked to a real and active Discord account.
Discord did not provide a statement in time for publication.
The lesson: Anyone can fall for a phishing message. That's why it's best to always be vigilant when someone sends you a link to a page that asks you to login, and to make sure you have two-factor authentication enabled, so you have to enter a code from your phone when logging in. This means that even if a hacker does manage to steal your password, they will still have a harder time actually getting into your account. Details on how you can setup two-factor authentication on Discord are here.
Subscribe to our new cybersecurity podcast, CYBER.