Discord privacy and security problems to watch out for

Anton P. | September 23, 2020

Initially launched as a paradise for online gamers, Discord gained a reputation as a feature-rich community for all. The more universal launch was remarkably successful, jumping the remote-work model of COVID-19 train. However, the main appeal of Discord is its seemingly untraceable and privacy-oriented approach.

This feeling of total freedom is not always a benefit, however. Many believe that the barely-monitored Discord environment is fertile ground for illicit content, cyberbullying, human trafficking, and other cybercrimes. In addition to the pro-claimed lack of surveillance, privacy and security advocates label it as potentially harmful. From the slow response to reported issues and inappropriate data management, Discord seems to hide a lot of problems under its shiny hood. Let’s explore just how Discord compromises communities, and whether using alternatives is the way to go.

Cybercrime rises on Discord

Discord ringed the final summer bells with a transparency report, clarifying the prevalent tendencies and criminal activities. The platform receives most complaints about spam, doxxing, exploitative content, malware, hacks, and cheats.

First impression wise, the platform struggles to cope with the amount of nonconsensual and exploitative content published. Usually, the reported behaviors relate to harassment or attempts of public humiliation of individuals. Discord banned approximately 162,621 accounts for posting personal imagery or other details without consent. However, while blocking vicious trolls of the internet is useful to an extent, it is not a long-term solution. Hence, Discord focuses on educating users on the harmful nature of harassment in any shape or form. As it appears, such an approach means that Discord bans only 3% of first-time offenders.

However, Discord is yet to conquer the central issue: its participation in transmitting illegal content and crime. Over time, the platform became the place for perpetrators to let off steam and viciously attack other individuals. Hence, the offenders publicly expose details on people’s private lives, ruin reputations, and hurt their emotional states. Such traumatizing data disclosure can happen to anyone, but it is just the tip of the iceberg. Charlottesville’s discord channel is probably one of the most infuriating and tragic stories. Sadly, similar disturbing channels continue to exist to this day.

Poor attitude towards providing quality services

The overall approaches in the technical department seemed to be insufficient on numerous occasions. While seemingly minor, they can drive even the most loyal Discord users crazy. For instance, writing and then deleting a message will still keep the mention badge on for others. Furthermore, Discord does not seem to treat cybersecurity as a top priority as well.

Their strong password policy is fairly recent, released only after getting slammed for not having it. Of course, reacting to public opinion and concerns is a plus for Discord. Nevertheless, their attitude towards users and reports seems to be questionable. Apparently, Discord removed years of data regarding bugs and issues on their platform without fixing them beforehand. As a cherry on top, consider frequent Discord downtimes: some of them relatively recent. While the company claims to investigate the potential issues, no proactive measures yet.

Yes, all of these issues might seem manageable and not as obstructive. However, can you use Discord with confidence and trust them with your private chats? For one, understaffing might be the problem for Discord. With not enough hands on dock, they cannot cope with the incoming stream of reports.

Discord’s privacy policy lacks… privacy?

Barely anyone ever reads privacy policies. As a result, many companies, not exclusively Discord, tend to take advantage of that. According to the official document of Discord, here are the main details that you should pay attention to:

  • Discord collects and keeps logs of the following information: username, email address, exchanges messages and images, and transient VOIP data.
  • It can read your Facebook contact details if you choose to link your social media account with Discord.
  • The platform records your IP address continuously, every time you enter.
  • Discord can share aggregated user information with third parties. In other cases, it has permission to exploit logs for internal studies.

All of these conditions seem relatively standard in this age of data-gathering. However, these features do not sweeten the deal. By nature, Discord is not the safest communication platform. It applies standard encryption, and it does not have any options for end-to-end alternatives. With the world ridden with digital privacy concerns, people might look away just for that. So, Discord seems to follow a more reactive approach towards security rather than proactive.

Discord’s business model

Since Discord is a free product (for the most part), it is natural for users to wonder about its revenue. After accusations of selling user data to marketers, Discord stepped on the stage to explain their business model. According to the released statements, Discord’s sole revenue source is the subscription packages. Of course, researchers launched their experiment to cross-check these claims. As expected, Discord logs all messages and channel-related information.

Additionally, it shares user data with Adjust and Google’s Crashlytics. These two might contribute to ad personalization. However, the study did not address the possibility of Discord’s backend activities: more data-sharing activities could be visible there.

Fertile land for malware distribution

Privacy and security on Discord have had its ups and downs. There are numerous accounts of crooks exploiting Discord as a primary channel for malware transmission. Let’s review some of the notorious incidents:

  • AnarchyGrabber trojan. This malware infection originally roamed the streets of hacking forums and YouTube videos. However, the trojan broadened its scope by targeting Discord. The premise here is simple: AnarchyGrabber would alter Discord client files to avoid detection. Then, it stole user accounts, including passwords. Another curious detail is that the trojan disabled two-factor authentication. To spread the AnarchyGrabber even further, crooks promoted its malware as a hacking tool, game cheat, or exclusive content.
  • Malicious npm package. A JavaScript library disguised as “fallguys” promised an interface for the Fall Guys: Ultimate Knockout game API. Used as bait for developers, the vicious package stole information about users’ browsing history and Discord activity. The latter refers to the channel users joined, and a variety of other data related to it.
  • SpideyBot malware. Similar to AnarchyGrabber, this infection modified Windows Discord client to steal user information. It could get access to IP addresses, usernames, email addresses, phone numbers, and more. However, the malware also read the content copied to the clipboard. We tend to copy passwords, personal information, bank details, etc. Hence, this feature labeled the infection as highly concerning.

Discord’s file-sharing system is also quite impractical. Even non-registered visitors can freely download uploaded content. Ironically, even if Discord bans or deletes accounts, their messages remain. This ordeal complicates the process of finding people responsible for the malware or distribution of illicit material. At one point, Discord’s vulnerability allowed random users to modify messages from other accounts. Even if no real-life exploitation occurred, the loose modification opportunity was ideal for framing innocent people.

Passport photo to verify bots

Your ID card and passport are probably one of the most confidential documents you own. You only share it with respectable companies and apps. However, Discord decided on requiring these documents for photo identification to verify bots. A successful authentication would earn you a shiny Verified checkmark on your bot listing. The question pops up: are you comfortable sharing your passport with an instant messaging app? Knowing the possibility of data breaches, the images of your passport could leak. Other than that, users share full scans of confidential documents with a for-profit company. To add to the fire, you cannot take it back: Discord does not offer the option of deleting passport photos. If, after contemplation, users decide not to verify identities, their career as bot creators might end. So, everything around the passport-verifications seems suspicious or unnecessary (to say the least).

Final thoughts: is Discord worth it?

Discord’s explosive growth is complicated. On the one hand, the title of an industry-leading application is an honor. On the other, this position requires extensive attention to the growing community and infrastructure management. Sadly, Discord is not always capable of reacting to emergencies or preventing them. How does this affect their popularity? Not that much. Discord users have been comfortable with the service for years. They contribute to the ecosystem and feel a sense of belonging through participation in channels. Also, switching to a new platform for gamers would require convincing friends to follow their lead.

Brief advice for all loyal Discord users is to be cautious: no clicking on random links or files. Furthermore, do not reveal too much information about yourself via chats. Since there is no end-to-end encryption, data leaks are not a mission impossible. If you decide to look for more anonymous and private instant messaging tools, please do. Achieving anonymity is a quest many netizens have. Amid increased surveillance, censorship, and user profiling, you should consider all options for preserving your digital identity.

Anton P.

Anton P.

Former chef and the head of Atlas VPN blog team. He's an experienced cybersecurity expert with a background of technical content writing.



© 2022 Atlas VPN. All rights reserved.