first 5 minutes – stop the bleed
Kill all sessions
Discord → User Settings → Authorized Apps → revoke everything. Also under "Sessions" log out all unknown devices.
Check webhooks
Server Settings → Integrations → Webhooks – remove any unknown webhooks (attackers use them to spam).
Audit log first
Server Settings → Audit Log – sort by date to see exactly what the attacker changed (roles, channels, bans).
🔐 account recovery (locked out)
- Forgot password? Start at discord.com/login → "Forgot password". If attacker changed email, use support form.
- Support contact: dis.gd/contact – choose "Hacked account". Provide: previous email, username, creation date (approx), any Nitro receipts.
- Proof: Screenshots of DMs, friend list, or server membership can speed up recovery.
Undocumented: If you ever bought Nitro, include the transaction ID (check your email for "Thank you for purchasing Nitro"). Support prioritizes paying users.
- Token loggers: Attackers may have stolen your Discord token (via malicious software). After recovery, go to User Settings → "Log Out of All Known Devices". This invalidates the token.
- 2FA bypass: If you had SMS 2FA, they might have SIM‑swapped. Switch to Authy / Google Authenticator immediately.
- Phone number: Remove your phone number from Discord if you suspect carrier fraud.
SIM swap & Nitro scams: Discord accounts are often taken via SIM swap (attacker convinces mobile carrier to transfer your number). Call your carrier immediately, set a port‑out PIN. Also, never click "Nitro gift" links from unknown users – that's the #1 phishing vector.
👑 server owner – advanced forensics
- Attackers often create a new role with admin and hide it. Check Server Settings → Roles for any unfamiliar roles, especially those with "Administrator".
- They may have deleted your admin role. Audit log shows who modified roles.
- Webhooks can send messages even after password reset. Check Integrations → Webhooks. Delete any webhook you didn't create.
- Attackers use webhooks to spam crypto scams. Also check channel-specific webhooks.
- Check Server Settings → Integrations → Bots and Apps. Remove any unknown bots (they may have admin permissions).
- Some bots can log all messages – revoke them.
🔍 after you're back in – deep clean
- Change password – strong and unique.
- Enable 2FA (Google Authenticator, not SMS). Save backup codes.
- Authorized apps: User Settings → Authorized Apps – revoke everything, especially games or "verification" bots.
- Connected accounts: Remove any unknown connections (Twitch, Steam, etc.) that you didn't add.
- Audit log review: Go through every action. Look for deleted channels, banned members, and permission changes.
- Restore channels: If channels were deleted, you may need to recreate them (Discord doesn't keep deleted channels).
- Unban members: Check Server Settings → Bans – attacker may have banned legit users. Unban them.
- Moderation: Review "AutoMod" rules for any malicious additions.
hidden persistence mechanisms
- Integration webhooks: Attackers create webhooks that can post in any channel. Always check each channel's integrations (channel settings → integrations).
- Vanity URL changes: If your server had a custom invite link, attacker may have changed it. Check Server Settings → Invites.
- Emoji/Sticker backdoors: They can add offensive emojis or stickers. Review Custom Stickers and Emoji.
- Community settings: If your server is "Community enabled", check "Moderation" tab for added banned words or automated actions.
- If you had Server Subscriptions, check Payout Settings – attacker may have changed bank info.
- Review "Server Shop" for any unauthorized items.
- Attacker may have DMed malicious links to your friends. Warn them.
- They might have downloaded your data (if they had access long). Request a data export from Discord to see what was accessed.
backup codes – your lifeline
After recovery, generate new backup codes and store them offline (e.g., in a safe or password manager). Without them, if you lose 2FA again, recovery is much harder.
download as PDF
print & store