← Back to blog

My Discord Account Got Hacked: How to Recover It and Lock It Down for Good

Written by RiskyMH

SecurityJuly 5, 202615 min read

Token theft, phishing, and social engineering are how Discord accounts actually get taken over. Here is how to recover one and lock it down for good.

If you're reading this because you're already locked out, jump straight to What to do right now. If you're here because you want to avoid ever needing that section, skip to How Discord accounts actually get hacked and then Locking your account down for good.

Discord getting “hacked” almost never means someone brute-forced a password. In the vast majority of real cases, the attacker got in because a token was stolen, a phishing page was convincing enough, or a scam talked the account owner into disabling their own defenses. That distinction matters, because it changes what you actually need to do to fix it and stop it happening again.

What to do right now if you've been hacked

Signs your account is compromised

A compromised account rarely announces itself with a single obvious event. It's usually a pattern:

  • Messages or friend requests you didn't send, often pushing “free Nitro,” crypto giveaways, or a link to “check out my game”
  • An email from Discord about a password or email change you didn't make
  • Login alerts from a device or location you don't recognize
  • 2FA codes arriving when you didn't try to log in
  • Your server suddenly has new webhooks, new bots, or roles and permissions that changed without you touching anything
  • A moderation bot DMing you about sending spam, phishing links, or suspicious messages in servers you’ve never joined or been active in

If any of that is happening, treat it as a compromise immediately rather than waiting to see if it's a fluke.

If you can still log in

  1. 1.
  2. Change your password first, from a device you trust. This alone invalidates the stolen session token in most cases, since Discord issues a fresh token on password change.
  3. 2.
  4. Log out of all other sessions. In User Settings, there's a “Log Out Everywhere” style option that kills every active session except your current one.
  5. 3.
  6. Enable Multi-Factor Authentication. Enable Multi-Factor Authentication if it isn't already on, and set up a passkey or security key rather than SMS (more on why below).
  7. 4.
  8. Go through Authorized Apps. User Settings → Authorized Apps, and revoke anything you don't recognise or don't use. This is the step people skip most often, and it's exactly how a lot of “I changed my password but they're still posting” cases happen: OAuth grants don't get revoked by a password change.
  9. 5.
  10. Change your email password too. especially if it's reused anywhere. Email is the actual root of most account recovery, so if the attacker still has your inbox, they can just reset Discord again.
  11. 6.
  12. If you're a server owner or mod anywhere, check the server's Audit Log for webhook creation, role changes, or bans and kicks you didn't perform, and check Server Settings → Integrations for webhooks you don't recognise. Attackers rarely stop at sending spam from one account. If the compromised user moderates a server, they'll often create a webhook, invite a lookalike bot, or quietly adjust permissions before anyone notices, so understanding exactly what changed matters as much as reverting it.

Read more on Discord's official “My Discord Account was Hacked or Compromised” support article.

If you've been locked out

If the attacker changed your email, check the inbox of your original email address first. Discord sends a “Discord Email Address changed” notification with a revert link, but according to Discord's own support documentation, that window only lasts 48 hours from the change.

If that window has closed, your only path is Discord's official hacked-account support form. A few things that consistently make this faster, based on both Discord's guidance and recurring patterns in support-forum threads:

  • Include your exact username/handle, the original email address, and a clear timeline of what happened
  • Attach screenshots or purchase receipts if you have any, since proof of ownership is what actually moves a ticket forward
  • Submit one ticket, not several. Duplicate tickets tend to slow things down rather than speed them up
  • Response times vary a lot, anywhere from a day to several weeks depending on how complicated the case is, so a thorough first submission matters more than a fast follow-up

Discord is explicit that they will never DM you directly for support, ask for payment, or ask you to change your credentials over chat. Any message claiming to be Discord staff doing that is the scam, not the fix, which brings us to how most of this starts in the first place.

How Discord accounts actually get hacked

None of the methods below need someone to guess your password. They all rely on either malware doing the stealing for them, or you being talked into handing over access voluntarily.

Token-stealing malware (infostealers)

This is the single biggest cause of Discord account takeovers today. Discord doesn't re-check your password every time you open the app. It stores a session token locally that keeps you logged in, the same way most apps do. If malware on your device can read that token, it can log in as you with no password and no 2FA prompt at all, because as far as Discord's servers are concerned, that token is proof it's you.

This isn't theoretical. In January 2026, researchers at Palo Alto Networks' Unit 42 documented a new infostealer called VVS Stealer being sold on Telegram for as little as €10 a week. It searches a user's local Discord storage for encrypted tokens, decrypts them using Windows' own protection API, kills the running Discord client, and can even inject a script to hijack the session outright, on top of grabbing saved browser passwords, cookies, and screenshots. It's one example among many. “Token grabber” malware has existed in various forms for years, but the tooling keeps getting more capable and cheaper to buy.

These stealers almost always arrive disguised as something you'd want to run: a game “cheat,” a cracked piece of paid software, a Discord Nitro generator, a game mod, or a fake “verification” tool someone insists you need to install to join a server or claim a reward. They spread through direct messages, often from a friend's account that's already been compromised, which is why an unexpected file from someone you trust is actually a bigger red flag than one from a stranger.

Phishing pages and fake logins

The classic version: a link promising free Nitro, a crypto giveaway, or an NFT drop leads to a page that looks exactly like Discord's login screen. Type your credentials in, and you've just handed them over. The only reliable tell is the URL. A genuine Discord login page will always be on discord.com, not a lookalike domain or a shortened link.

A more targeted version of this is the “I accidentally reported you” scam. A message, often from a hacked account you recognise, claims they reported you by mistake and that you need to contact a specific “support member” before you get banned. That person then walks you through changing your email, disabling your 2FA, or scanning a “verification” QR code, all of which hands them the account directly. Discord support will never approach you first, and will never ask you to disable your own security features. If a conversation is heading in that direction, stop and go to Discord's real support page instead.

Malicious OAuth apps and authorized-app abuse

When you click “Authorize” on a bot or third-party app, you're granting it a set of permissions on your account, sometimes just profile info, sometimes far more. Attackers build apps that request broad permissions and disguise the authorization screen as something innocuous, like a “verify to claim reward” step. Because this doesn't touch your password at all, it survives a password reset, which is why checking Authorized Apps is a required step after any compromise, not an optional one.

QR code login abuse

Discord's QR login (scan a code with your phone to log into the desktop or web app) is genuinely convenient, but it's also been repeatedly abused for scams since it launched. Scammers generate a real Discord login QR code, disguise it as a “free Nitro” claim code, and if you scan it, you've just logged their session into your account. The rule here is simple: only ever scan a Discord QR code that you generated yourself by choosing to log in on a new device. If a QR code arrives via DM or a giveaway post, it's not a gift.

Credential stuffing and password reuse

If you reuse a password across sites, a breach at some unrelated service can hand your Discord credentials to an attacker with zero effort on their part. They just try the same email and password combo on Discord and see if it works. This is quietly one of the most common causes of account takeovers across every platform, not just Discord, precisely because it requires no phishing and no malware at all.

Compromised-friend chains

A huge share of the malware and phishing links above spread specifically because they arrive from someone already on your friends list. Once one account in a friend group is compromised, attackers use it to message everyone else, since a “hey check this out” from a known contact bypasses the instinctive suspicion a message from a stranger would trigger. We've seen the same pattern show up as fake moderation bots and fake verification bots too: the initial compromise is rarely where the damage stops, it's just where it starts. This is also why warning your friends and any servers you're in immediately after a compromise isn't just politeness, it's actively slowing the spread.

Locking your account down for good

Get proper MFA, not just any MFA

Discord supports three MFA methods, and they are not equally secure. In order of strength:

  • Passkeys / security keys: a cryptographic credential tied to your device (Face ID, Windows Hello, or a physical hardware key like a YubiKey). Discord's own security team describes this as close to phishing-proof, because there's no code to steal or trick you into typing. The credential never leaves your device in a form an attacker could intercept. Set it up under User Settings → My Account → Security Keys.
  • Authenticator apps (TOTP): codes from an app like Google Authenticator or a password manager's built-in generator. Solid, but a phishing page can still trick you into typing the code in at the wrong moment.
  • SMS codes: better than nothing, but vulnerable to SIM-swap attacks and the weakest of the three options Discord offers.

Whichever combination you use, download and store your backup codes somewhere safe (a password manager, not a screenshot on your desktop). They're the only way back in if you lose your device.

Use a password manager and a unique password

If your Discord password is used anywhere else, change that first. A password manager removes the excuse: you never have to remember or reuse a password again, and most will flag it for you if a password you're using has shown up in a known breach.

Audit your Authorized Apps periodically

Not just after a scare, every few months. It's the same five-second check each time: User Settings → Authorized Apps → remove anything you don't recognise or no longer use. Treat “why does this app need this permission” as a real question, not a formality.

Keep your devices clean

Since most account takeovers now start with malware rather than a guessed password, device hygiene is Discord security. That means:

  • Don't run executables sent to you by someone else, even a friend, without verifying through a different channel first
  • Be skeptical of “game cheats,” cracked software, and mod tools, since these are consistently the most common delivery method for token-stealing malware
  • Keep your OS and browser updated, and run reputable antivirus/anti-malware software
  • If you suspect malware already ran, a full scan (or in bad cases, a clean OS reinstall) needs to happen before you trust that device with password resets or MFA setup again, otherwise you're just handing the attacker a fresh token

If you own or moderate a server

This is where it's worth slowing down, because a compromised admin account doesn't just cost one person. It can take an entire community down with it, and it's the pattern we run into most often when we're called in to help clean up after a server-wide incident.

  • Limit Administrator permission to the owner only. Administrator bypasses every other permission check, so if a mod with Admin gets compromised, the attacker effectively owns the server.
  • Give bots only what they need. A moderation bot rarely needs Administrator to function; most well-built bots document the specific permissions they actually require. Bots with unnecessary Manage Roles, Manage Channels, or Manage Webhooks access are a common way a single compromised bot account escalates into a full server takeover.
  • Treat webhook URLs like passwords. A webhook URL that leaks, whether in a public repo, a pasted config, or a chat log, lets anyone post as an official-looking announcement in your server. That's exactly how the fake-airdrop and fake-mint scams spread through crypto-adjacent servers.
  • Review permissions on a schedule, not just after an incident. Departed mods and unused bot integrations are exactly the kind of standing access that gets exploited months after everyone's forgotten it exists.

Good account security closes off most of the easy ways in, but it can't catch everything on its own, especially the moment an attacker is already inside and moving fast. That's the gap that ongoing monitoring for suspicious joins, phishing links, and unusual moderation activity is meant to cover, and it's the exact problem Honeypot was built to sit in front of. How Honeypot Systems Work covers the detection approach in more detail.

Stay skeptical of urgency

Nearly every method above (the fake support DM, the “claim before it expires” giveaway, the “you're about to be banned” message) depends on making you act before you think. The single most effective habit against all of it is the same: if a message is trying to rush you into logging in somewhere, scanning something, or disabling a security feature, stop and go verify it through Discord's official channels yourself instead of following the link you were handed.

Quick reference: locked-down Discord checklist

  • Unique password, stored in a password manager
  • Passkey or security key set up as your primary MFA
  • Backup codes saved somewhere safe (not a screenshot)
  • Authorized Apps reviewed in the last few months
  • No unnecessary Administrator-permission bots in any server you run
  • Webhook URLs never pasted anywhere public
  • A standing rule: never run files sent unprompted, never scan QR codes you didn't generate yourself

Sources and further reading: Discord's official “My Discord Account was Hacked or Compromised” support article, Discord's Multi-Factor Authentication setup guide, Discord Safety Center's spam and hacking prevention tips, and Discord's blog post on how MFA keeps accounts safe.

Further reading

Adjacent notes and related topics.

Looking for the core product docs? Try the documentation or the setup guide.