How I Nearly Locked Myself Out of My Discord Account Forever
A cautionary tale about 2FA management.
For those who don’t know of/use Discord, it’s basically the modern version of AOL chat rooms from back in the day. Unlike those official AOL chats, anyone can create an account and spool up a server for their friends, company, guild, community, whatever. The use of Discord as a means of authenticating your role in a server via things like NFT’s or Patreon subscriptions means scams are at an all time high. Servers get hacked all the time and I can only imagine the absolute hell their devs go through trying to patch and maintain the platform.
One of the extra measures of security available to users is 2FA. This is nothing new, you can add this to your Twitter, Blizzard, Facebook accounts etc. It typically involves emailing you a login link, sending you a code in a text message, or routing you to your Authy or Duo app. But Discord has a different option, one where they generate a series of 6-8 digit codes that must be used after your password is entered in order to log in. It’s not a big deal once you are logged in because you can download the codes as a txt file or copy/paste them into a password manager for safe keeping.
I had opted for the “downloading the txt file” option back last year when I turned 2FA on for security in the NFT space. Never had a problem logging in and seeing my codes and typing one in (They are one time use and can be regenerated as needed.) to log into a new device. That is, until a week ago when I changed my password… and forgot it.
You see, I like to use those gibberish passwords that Apple generates for you, then store them in one of my password managers never to be seen or heard from again until the next data leak - which was the reason for the change last week when Apple patched two 0day’s that gave access to browser data among other things. Discord being a web app means a security flaw within a browser can affect access to my accounts authentication token. So after patching every Apple device in the house I changed a few passwords for good measure.
But for some reason, and I’ve had this happen on several occasions in other apps, the password didn’t get updated in my pw managers. The old password was still there and I had no earthly clue as to what it currently was. I didn’t realize this until last night when I was hooking up the TV and Xbox for the first time since the move and saw an offer from Xbox Live about redeeming a free month or so of Discord Nitro. I scanned the code and it pulled up the authentication process. But the password I had saved wasn’t working… I checked the pw manager and sure enough it was the old set of gibberish and not the new one. I would have to change the password.
Changing passwords with 2FA enabled means having to verify the process with an authentication code. No problem, I thought, I’ll just go onto my laptop or tablet and view the security codes just like before. But, before I had the right password so it let me view the codes to plug in, now I’m getting hit with error states left and right. I tried all the password recovery links only to be hit with more requests for the backup codes. Without the codes I couldn’t remove the 2FA either:
At this point I had searched through what to do only to be met with the realization that if I didn’t have the codes my account was no longer going to be accessible once the app logs me out for any reason. I went to some of my servers in a failed attempt to transfer ownership before that happened but guess what:
Yep, it needs authorization too. This would all be great news to know that my account is so secure that folks can’t abuse password recovery methods to get into it. The issue being that even I can’t recover it anymore with 2FA enabled. Tip: hackers who do get into your Discord account will turn on 2FA to keep you out of it, you should turn it on now yourself before that happens.
So how did I get back into my account without the 2FA codes? Well, I went and found the suckers. Yep, the answer to “How do I get back into my discord account without backup codes?” is to have the backup codes. Sorry, yall. I was at a total loss, I was already warning servers I own that they were about to have a very cold admin account and that I’d be making a new one to rejoin. That is, until I remembered our network storage from the old house.
We are still in the process of unboxing things, so I went into one of several cardboard boxes filled with other black boxes that connect to the internet. Once I found the network device I connected it back up and logged into it. Remember when I said that I had once downloaded the .txt file years ago? Well, I had recently sold the computer that I had done this on, and luckily for me I had backed up the downloads folder to this network device. Always back up the downloads folder!
Once in I searched for “discord” and sure enough one of the first results was discord_backup_codes.txt. Now, just because I found an old copy of it didn’t mean those were going to work, I could have refreshed them since, I could have used up all the ones there (they only work once) so I went with one at the bottom of the list.
I was back in my account, I changed my password and saved it this time, verifying that it worked before resetting the 2FA codes and storing those. Moral of this story is to make sure your stored passwords update properly, and keep backups of old data, then backups of those. But just like encryption, you car, your house, your hardware wallet, without the keys you aren’t getting back in.
I know a lot of people would see this as a deterrent for enabling 2FA on their Discord accounts, citing the issue I just ran into, but this was my fault. I am the one who didn’t verify the new password worked. I am the one who didn’t properly store my 2FA keys. Discord did their job 100% by not letting me back in without those keys.
Yeah, a new account wouldn’t have been the end of the world, but this cautionary tale extends to stuff that have more sensitive data attached to them. Things like your bank account, credit cards, etc should have the maximum security settings offered by the company - even if that means you have to do a few extra steps and keep up with a few extra authentication measures. An account so secure even you can’t get back into it.
For those who use Discord but have not set up 2FA here is the official support link on how to do so.
Even if you aren’t into NFT’s if you are a Discord admin or mod with any level of admin access you should check out Jon_HQ’s Discord security links. You should start with his quiz. Don’t be the weak link that gets the server compromised.
Thanks for reading! Subscribe for free to receive new posts and support my work.