Urgent: Discord Security Alert & 2FA Guide

@​everyone

TRANSHUMANIST COUNCIL OFFICIAL NOTICE - ONLINE SECURITY

It seems there is an exploit going around at scale, targeting user's Discord accounts. Once an attacker has control of a Discord account, they are sending scam messages in people's DMs and in server chats about a "Mr Beast giveaway"(how original) which prompts the user to go to a site and enter a code to get free USDT(a cryptocurrency).

I am aware of two users who have had their accounts hijacked due to this scam, one already got their account back.

The hijacker is likely using a session hijacking exploit, which BYPASSES 2FA by encouraging the user to provide remote access(willingly or unknowingly) to the user's machine where an account session cookie is taken from the user's browser. Your cookie is a literal plaintext file which contains a long string that verifies your session.

RECOMMENDED ACTION(S):
1. Do NOT engage in any messages in your DMs, email, or any other medium/form of communication promising free money/crypto/etc
2. Enable 2FA. The most secure 2FA method is a physical security key(Yubikey), then a TOTP app, then email and SMS being least secure.
3. Upgrade your operating systems and mobile devices(this can affect insecure versions of Android). If you are able to, switch to Linux or use MacOS. Note that MacOS and Linux are still prone to malware.
4. Utilize a password manager and generate secure passwords(minimum 32 characters, 64 recommended). KeepassXC and Bitwarden are great ones.

If you suspect you may have clicked on a bad link or otherwise think someone else might have access to your Discord do the following:
1. Go to Discord settings
2. Click "Devices"
3. Scroll all the way down
4. Click "Log out of All Known Devices"
5. Re-authenticate only on devices that are yours

Even if a message comes from a friend, still take caution as their account may be hijacked