Scraper spied on 600 million Discord users and sold the data.

A publicly accessible website is selling data about Discord users and their messages for as little as $5.
discord-hacker-image

Discord, originally designed for gamers but increasingly popular across the internet, is presumed to have a degree of privacy in its messages. Only members of a Discord server (approved by moderators) are supposed to see them. Or so one might think. According to a new report, third parties can easily scrape and cross-reference these messages… and sell them to the highest bidder.

404 Media reported on a website called Spy Pet, operated by an anonymous creator who claims to be collecting data from 14,000 Discord servers and over 600 million users, with over 4 billion messages indexed so far. Their system scrapes group messages within Discord server channels and logs which users are active across multiple servers.

This data is then anonymously sold in cryptocurrency form for as little as $5 to anyone interested. Customers can search the database to find the activity of individual Discord users across a range of servers, view messages they’ve posted in open channels, and see any usernames and nicknames (often aliases rather than real names) they’ve used across different servers, as well as accounts associated with their Discord user accounts on other sites. It can even show which users have been banned from using servers and allows downloading their data into a table.

Spy Pet seems to be built on Discord’s standard API and developer tools, essentially scraping data for less-than-scrupulous purposes. This means that while the service certainly violates Discord’s terms of service, it may not necessarily break any explicit laws. It’s currently unclear where the website operates, but its registration center is in the Netherlands.

It should be made clear: they’re not doing anything that couldn’t be achieved through more sophisticated means and are simply providing illicit data to anyone with Bitcoin.

One thing the system cannot do is access private messages sent between individual users or group users outside of open channels. Nevertheless, the privacy implications are staggering. In addition to gaming and general interest groups, Discord is often used as a direct customer service system for small companies and as a place for fringe communities to communicate to some degree anonymously and securely.

The existence of Spy Pet, and the potential for anyone (including hacker groups and state-sponsored data collectors like law enforcement agencies) to do the same, makes Discord seem less secure as a means of communication. The “request deletion” link at the bottom of the page displays a clip of a meme video from the 2002 film “Spider-Man,” callously dismissing any hope for affected Discord users to keep their data private.

Ironically, Spy Pet’s promotional page claims that its own clients can enjoy “enhanced user privacy” and conduct “secure and confidential” searches.

Leave a Reply

Your email address will not be published. Required fields are marked *