Recently, I have reviewed a group of people operating under the name “dis.cool”. This group have been stealing the personal data of “100 million users”, and selling it to the masses.
I’ll start by introducing the group behind “dis.cool”. This service is run by rogi and relative. These two are spearheading the organization.
This group was created a while after the release of Discord, a communication platform for gamers, and everyone else; this service attracts young children, teenagers and everyone else. Then, three years later, the “dis.cool” domain was officially registered. And that’s when things took a turn for the worst.
Recently, a very good friend of mine wrote a brief Reddit post about dis.cool. He had contacted the ICO, and many other organizations in a bid to stop this group. We had discovered that dis.cool was not only collecting data without consent, but selling it for $7 USD a year. This is a direct violation of regulations such as the GDPR (Europe), and the CCPA (California). If you’d like to read more about this, I suggest you visit the Reddit post he wrote, and my lengthy comment which explains why this is a danger.
We were appalled to find that the information being sold included the connected accounts of users, the server list of users, and information about servers worldwide.
Please remember that children use this platform, and the selling of their personal information could potentially put them in grave danger. We, as a community, need to be protecting our aspiring young gamers, and provide a safe environment for them. Right now, that’s nonexistent on Discord.
Also, this is illegal.
How did this happen?
First off, Discord has had an everlasting problem that goes by the name of selfbots. Selfbots are banned by the Discord ToS. A selfbot is a bot masquerading as a user, and it logs into a user account. These selfbots are then joined into millions of Discord servers, sending data back to dis.cool such as: channel information, information of the users in the server, and all messages sent in channels the selfbot is permitted to read . I have witnessed the selling of these tokens for myself, and it seems to be quite a big business. Discord have put some measures in place (like the prevention of the
Authentication header), but it is not enough to stop people like these.
However, I’d like to credit Discord for sending an official letter to Donuts, which thankfully got the dis.cool domain shut down. They have since moved to new domains, such as dsc.cool and tracr.co. Furthermore, their new Twitter account is here.
Why not ask them to delete the information?
That’s the thing. When anyone requests to have their personal data removed from this service, they are redirected to a meme instructing them to “delete your account”. This is not only ethically unacceptable, but the refusal to delete personal data is a violation of the GDPR, and the CCPA. Also, their advice is meaningless, considering that if you do follow their instruction, nothing will be deleted.
It is clear to see that these people believe they are above the laws set out to protect victimised users.
Tips on staying safe
Currently, you should refrain from posting your server on popular Discord server listing sites. This includes sites such as top.gg and Discord. Me; I have good reason to suspect dis.cool are scraping information from these services, because (as quoted by them) there is no ratelimiting system present on some listing services. Following this, you should disable your Server Widget. This allows anyone to view information about your server without joining. While some information such as discriminators are anonymized, this is still a security hole.
Also, you should be careful about where you post invites. I am unable to gain insight into every service they scrape, but I’d imagine things like server listing subreddits are scraped too. There is some manual work to the scraping too, which makes this a bit harder.
There is no way to limit the information that user accounts can see in your server, aside from limiting the channels they can see. They can still get the name of every channel, and the topics of them too; don’t store sensitive information in channel topics.
In addition, a well-established verification system is invaluable in these circumstances. I recommend bots such as Valkyrja, which only allows new user accounts to see one channel; the verification process of good bots will definitely slow down selfbots.
Me, and a close friend have been in touch with Discord to limit the information that can be seen by user accounts in your server(s). Stay tuned for updates. Systems such as the Gateway Intents system have the capability to solve issues such as this, but time will tell.
You should also be careful with the bots you add to your server. These bots can ultimately store any and all data you permit them access to, so you should be sure to only allow the permissions required for the bot. As an example, a music bot definitely does not need the Administrator permission (looking at you, Rythm).
If you have any connected accounts (you can access these in the
Connections section of the settings menu), you should disconnect them immediately. There is the obvious risk that dis.cool have already scraped this information; in that case, there’s nothing you can do aside from not connecting any more accounts, and removing the current ones. Over time, their data will grow stale and will essentially be useless.
Moreover, encourage server owners to follow the guidelines above. This is a stepping stone to a more secure system.
What can I do?
You should lodge a complaint with the relevant parties immediately. A good starting point would be to email these companies:
- OVH (Server hosting) (email@example.com)
- Epik (domain registrar) (firstname.lastname@example.org)
- DDoS-Guard (DDoS protection) (email@example.com)
- Discord (request form)
There are templates for emailing these companies here.
- UK GDPR enforcement contact info
- German GDPR enforcement contact info
- My post on the r/privacy subreddit
- My friend’s post on the r/discord subreddit
- My friend’s post on the r/discordapp subreddit
- The Twitter thread where I first confronted them
- The (unofficial) disdotcool subreddit
Which articles of the GDPR are they breaching?
Probably best to skip this if you’re not a lawyer.
Chapter 2; Article 6
Chapter 2; Article 8
Chapter 3; Article 17
Chapter 3; Article 20
Chapter 3; Article 21
Chapter 4; Article 25
This is very scary for the privacy of Discord users worldwide. I can only hope Discord are able to collaborate with their community to foster brand new, and more secure systems. As an observer, privacy seems to be an afterthought with Discord’s API. Thank you for reading this blog post, and I hope I have informed you of the data this group collects and sells, and how you can protect yourself in the meantime.