Discord Password Security Issues

Just in case you guys didn’t see this on the Discord website:

tl;dnr: Change your password.


As the names are similar, it’s probably worth pointing out that the ‘Discord’ app is the gaming skype/teamspeak client thing, while the forum software we use here is called ‘Discourse’ and isn’t impacted by this.

1 Like

Just as an FYI - Rock, Paper, Shotgun has a PSA on their page as they DO use Cloudflare.

So if you have a password with them you should change it.

We also use Cloudflare for the www and forums here, but not for any of the features that leaked stuff.

Google and the rest of the search engines have also purged their indexes of CF naughty stuff, as the actual bug in CloudFlare was in about September 2016 but the web crawlers then caught and indexed it. Doh! For a Content Distribution Network this leak bug is about as bad as it gets.

Without HTTPS on any login system it’s all pretend anyway. If you have logins on any sites that don’t use HTTP then it’s all just reduced returns of feeling better :slight_smile:

On this sort of subject, a handy tool to see if your username/email and password is out there due to previous exploits/leaks. Chances are high that it is, so freshen up those secrets. :slight_smile:


Of course, maybe that site gathers emails and usernames, but it’s unlikely. Stranger danger! :slight_smile:


Lol I totally don’t try those because of that fear.

1 Like

What harm can come from being added to the Ashley Madison database?

1 Like

I use an old password, thats been owned several times, on discord. I usually do this on unimportant sites where there are no money transactions or the like.

I use HTTPS Everwhere plugin to force HTTPS. Also use Ghostery to look at what the site is trying to do with me. (Mudspike Forums is using Google Analytics) and uBlock Origin as that flat out blocks any content it deems unsafe.

My passwords are usually 16 or longer to make it even harder to crack.

We do that to work out server load.

We have no 3rd party ads, no social media trackers, no Amazon affiliate links, no Adsense, no corporate sponsorship, outbound links set to norel, no Patreon link, no YouTube ads and the analytics are set to not track users by any uniquely identifying markers.

I’ll give it 6 months before we close down. :wink:

I’ve seen much worse stuff out there than google analytics. I believe ghostery also blocks certain stuff, you can at least trust or restrict sites.

Yep. People tend to be pretty blissfully ignorant of what gets recorded and for what reasons.

If you are on a free forum, and it’s not a ‘product forum’ (as in, sells you other stuff direct) then you are basically the product in 99% of the cases. Something like ‘a popular flight sim forum’ will make about $20,000 a month in revenue from all the google traffic and ad links that get viewed. The M.O. is to get the moderators all working for free (because some people just love to moderate others as a hobby in itself), get a core group of hobbyist users to keep posting content for free, and then rake in the ad money. It’s a common pattern.

The move to mobile and responsive HTML designs is all about the fact that people have figured out how to use Ad Blockers on desktop, but on mobile you aren’t ‘allowed’ them. Most people don’t tend to root their phones or tablets and things like iOS Safari and Android Chrome don’t allow those add-ins like uBlock. The percentage of the average person using Firefox mobile is tiny, as it is all about the masses on stock phones and the google search traffic it drives per keyword. The move to mobile is essentially about keeping the tracking and advert revenue coming in, as without these ‘for profit’ forum sites wouldn’t exist. They don’t care a single cent about your hobby is the harsh reality.

It’s essentially a people farming business. :cow2: :slight_smile:


Suggestion for anyone getting tired of all these password hacks: download KeePass (it’s opensource and free) and start moving your accounts into it. It will generate strong passwords for you and you won’t need to know what they are, only how to get them from keepass. They have an android app (and maybe iOS) so you can get your password info if you’ve put the KeepPass database file in a cloud service like OneDrive or Google Drive.
The argument against this is if this database gets compromised then you lose all your passwords at once but you can make that pretty unlikely if you set a strong master password as well as 2nd factors such as a certain file has to be present on your local drive whenever you unlock the DB, which should make the DB useless to an attacker if the cloud storage is compromised. There are caveats to this method though as well, ie. if someone is targetting you and has obtained access to your local disks, they could probably figure out the file you’re using to authenticate. Anyway, it’s still a lot safer than using 5 passwords everywhere.

Look at Mr. Memory here, able to keep FIVE passwords in mind at once! :wink:

Some good discussion and comparison of password managers here: https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/