My Discord account
has been compromised
Stay calm. Follow these steps in order. Most compromised Discord accounts can be recovered within minutes if you act quickly.
If you are locked out of your account
Go directly to Discord Support and open a ticket explaining your account was compromised. Jump to Step 7 below for guidance.
Signs your account has been compromised
Recovery steps — follow in order
Change your password immediately
Do this firstYour first priority is stopping the attacker's access before anything else.
- Open Discord and go to User Settings → My Account
- Click Change Password and enter a strong, unique password you have never used before
- Use at least 16 characters — mix uppercase, lowercase, numbers, and symbols
- Do not reuse a password from any other site
If you cannot log in because the attacker changed your password, click "Forgot your password?" on the login screen. A reset link will be sent to your registered email address — check your inbox (and spam folder).
Remove all unauthorised authorised apps
This is the most common attack vector. Scammers trick you into authorising a fake Discord application that can read your messages, join servers, or even send messages on your behalf — without needing your password. Removing these applications is critical.
- Go to User Settings → Authorised Apps
- Review every app listed. If you don't recognise it, or didn't intentionally add it, click Deauthorise
- Remove all apps you are unsure about — you can always re-add legitimate ones later
Common fake app names include things like "Discord Nitro", "Steam Trade Bot", "Free Robux", or apps impersonating real services. Any app you didn't deliberately add yourself should be removed.
How phishing apps steal your account
You receive a message saying you've won Nitro, or a friend asks you to "vote for their server". The link takes you to a fake Discord login page or an OAuth screen asking for broad permissions. Once you click "Authorise", the scammer's bot has full access to your account using a token — no password needed.
Log out of all active sessions
After changing your password, force all other devices and locations out of your account.
- Go to User Settings → My Account
- Scroll down and click Log Out Of All Devices
- This invalidates all existing tokens, kicking out anyone who had access — including via stolen session tokens
Enable Two-Factor Authentication (2FA)
2FA adds a second layer of protection so that even if someone gets your password, they still can't log in without your phone. This is the single most effective thing you can do to prevent future compromises.
- Download an authenticator app on your phone — Google Authenticator, or Authy are good options
- In Discord go to User Settings → My Account → Enable Two-Factor Auth
- Open your authenticator app, tap the + button, and scan the QR code shown by Discord
- Enter the 6-digit code from the app to confirm setup
- Save your backup codes — Discord will show you 10 one-time backup codes. Store these somewhere safe (a password manager, or printed and locked away). These are the only way to recover access if you lose your phone
Never use SMS (text message) as your 2FA method if you can avoid it. SMS codes can be intercepted. Use an authenticator app instead.
Check and secure your account details
Attackers may have changed your email or phone number to lock you out later. Verify everything is still yours.
- Go to User Settings → My Account and confirm your email address is correct
- Check that your phone number (if added) is still yours
- Review your username and display name — change it back if it was altered
- Check User Settings → Privacy & Safety — make sure settings weren't loosened
- Go to your email inbox and check for any Discord emails about changes made recently — forward suspicious ones to Discord Support
Warn your friends and servers
Phishing bots often use compromised accounts to spread the same scam to everyone in your contact list and shared servers. Your friends may have already received messages from "you".
- Post a message in your most active servers explaining your account was compromised
- Tell people to ignore any suspicious DMs or links they received from your account recently
- Ask server admins to check if the compromised account sent spam or performed any actions while under attacker control
- Let close friends know directly via a separate platform (iMessage, WhatsApp, etc.) since they may not see a Discord message
Contact Discord Support if still locked out
If you cannot regain access through the normal password reset flow (e.g. the attacker changed your email address), you will need to contact Discord's Trust & Safety team directly.
- Go to Discord's account recovery form
- Select "Hacked or compromised account" as the issue type
- Provide as much detail as possible: original email, username, approximate account creation date, billing details if you have Nitro
- Discord may ask you to verify your identity — respond promptly to their emails
- Response times are typically 24–72 hours. Be patient and check your email spam folder
Be wary of anyone claiming to be Discord staff in a DM or on a third-party server. Discord staff will only ever contact you via the official support ticket system or from a @discord.com email address.