Scraper site spies on 600 million Discord users

Hacker woman screens with Discord LogoImage: Discord/Pexels/Cottonbro Studio

Messages on Discord, a chat service that initially catered to gamers but is gaining popularity across the web, are supposed to be somewhat private. Only members of that Discord server (who are subject to the approval of moderators) can see them. Or so you may have thought. According to a new report, it’s startlingly easy for third parties to collate and cross-index those messages…and sell them to the highest bidder.

404 Media reports on a site calling itself Spy Pet, run by a single anonymous creator who claims to be collecting data from 14,000 Discord servers and more than 600 million users, with just over four billion messages indexed so far. The system they’ve built scrapes the group messages inside the channels of Discord servers and makes note of which users are active across multiple servers.

The data is then sold to whoever wants it, paying anonymously in chunks of cryptocurrency worth as little as $5 USD. Customers can search the database to find a single Discord user’s activity across a range of servers, see the messages they’ve posted in open channels, and see whatever usernames and nicknames (often aliases instead of real names) they’re using across different servers, as well as accounts connected to their Discord user account on other sites. It can even show which users have been banned from a server, and allows its data to be downloaded in tables.

Spy Pet appears to be built off of Discord’s standard API and developer tools, essentially scraping data that’s used for less questionable purposes. That means that, while the service is definitely breaking Discord’s terms of service, it probably isn’t breaking any explicit laws. It’s not clear where the site is operating, though its registry is in the Netherlands.

To be clear: they aren’t doing anything that isn’t possible at a much larger scale by more complex methods, they’re just making that illicit data available to anyone with a bit of Bitcoin.

One thing that the system can’t do is access private messages sent between individual users or grouped-up users outside of open channels. Even so, the privacy implications are staggering. In addition to gaming and general interest groups, Discord is often used as a direct customer service system for smaller companies, and a place for marginalized people to communicate with a degree of anonymity and safety.

The existence of Spy Pet, and the possibility that anyone (including hacking groups and state-sponsored data collectors like law enforcement) could do the same, makes Discord seem far less safe as a means of communication. A “request removal” link at the bottom of the page simply displays a meme video from the 2002 Spider-Man movie, flippantly dismissing any hope that affected Discord users might keep their data private.

Ironically, Spy Pet’s promotional page claims that its own customers can enjoy “enhanced user privacy,” with searches that are “secure and confidential.”

Michael is a former graphic designer who’s been building and tweaking desktop computers for longer than he cares to admit. His interests include folk music, football, science fiction, and salsa verde, in no particular order.

Recent stories by Michael Crider:

Ring of bogus web shops steals 850K credit card numbersIf you get a phone call from LastPass, it’s a scamGoogle One VPN is the Google Graveyard’s newest victim

Leave a Response