Discord account requiring password reset

[Kan18]

I am getting emails from discord requiring me to reset my password, similar to https://dev.cancel.fm/tktview?name=8f8ecd4b60 Has anybody else had this issue?

[mk-fg]

I've seen this problem also mentioned by multiple people in last days in #bitlbee (IRC chan on OFTC) with other 3rd-party clients - bitlbee-discord and purple-discord, also in https://github.com/EionRobb/purple-discord/issues/363 wrt latter.

Probably indeed an anti-userbot-spam measure on their part, identifying 3rd-party clients in some way. You can try enabling MFA as mentioned in that linked Ripcord thread, and use token from the browser with that, see if maybe new thing is disabled for MFA accounts or something, though dunno how likely it is.

Doubt that fixing this client to look like a browser to avoid tripping any such measures is an option, as it's probably too much work without knowing what exactly they check there (and if it's an ML filter then it's unknowable), while deviations from browser behavior are basically infinite and can't be fixed on a fundamental level w/o using the browser client.

[alanhuang122]

I'm using MFA and token-manual and still got this issue twice, once on 3 September and once on 5 September.

It's simultaneously reassuring and disheartening to hear that others are running into this issue as well.

[mk-fg]

Oh well, should probably add this to the README and finally archive the repo.

Also, maybe good advice to anyone getting this error would be to immediately get/backup any kind of important info from discords that you've joined (like maybe asking for an invite link for alt-acc in private discords) and/or notify anyone that you care to stay in touch with alternative contact details. I think it's even more likely than usual that trying to get around these measures and carrying on being "suspicious" will get discord account blocked.

[Zauberfisch]

I have not experienced this problem so far. Though I have a desktop environment on the same IP as rdircd which I used for the initial login. So it's sounds like discord might not necessarily care about the use of rdircd, but rather thinks that it's a bad actor accessing your account from another IP.

[mk-fg]

I suspect most people use this from some linux box at home, and same almost certainly goes for ripcord (issue for which linked in the top post), as that's a desktop client. Maybe you are just lucky so far, or aren't using some specific thing that is triggering this. Haven't got this problem myself either, being connected to one private test-discord where nothing happens, which might hint that it's indeed the latter.

[mk-fg]

Small heads-up about maybe a useful thing to try, suggested in the same #bitlbee channel:

As using private chats had caused some heavy-handed reaction from discord in the past already, I've asked people who had this "suspicious activity" there whether they use private chats and all of them said they have, some using those exclusively.

It's also quite possible that almost everyone uses private chats on discord (though I almost never have myself), so it's not any kind of useful signal, but idk, maybe something to try if this gets too annoying and you want to keep using the IRC, at least.

I'd suggest testing whether this helps by completely stopping interacting with private chats after one of the resets and see if no new "suspicious activity" events happen in something like a week (with e.g. it usually happening every other day), which might indeed confirm that this helps... somehow. Though if not using private chats means pretty much abandoning discord, might as well not bother, I guess :)

EDIT: nope, doesn't seem to help people who tried it, according to reports on that IRC.

[mk-fg]

From third-party reports, it sounds like discord has made this "suspicious activity" heuristic less restrictive and it no longer affects third-party clients indiscriminately. This is quite surprising to me, as didn't think they'd have any plausible reason to do it aside from implicitly supporting third-party clients this way (which are otherwise explicitly a bannable offence), as don't think anyone reported this affecting official clients in any way.

One takeaway might be that it could actually be a good thing to send custom user-agent and avoid blending-in with the mobile/browser client, if above conjecture is mostly correct, as that'd make it easier tell different use-cases apart in such heuristics, presumably allowing for more differential treatment - maybe a better one than masquerading user-spambots, in this case.

But that all is just a wild guess of course, no idea what's actually happening in the secret Discord Volcano Lair HQ.

[dowodenum]

I found this thread after getting daily password reset demands from using Ripcord alongside the official Android app, and have been checking in from time to time just to see how the case develops.

It seems they got enough flak for this change that they fixed it, because about a week ago it stopped happening daily - but now tonight I've got this:

I'm not entirely sure it's related but figured I'd leave it here and others can chime in. Sorry if it's inconvenient.

I've tried switching VPN servers and not using a VPN, using LTE on my phone, it doesn't matter.

I've never done phone verification for the servers that require it, preferring to just avoid them entirely. So it seems this will be the end of my Discord usage, and though I was leaning that way already, I didn't really expect them to make the final push. Fuck Discord. Fuck Tencent.

[mk-fg]

Ah well, sorry to hear that, though tbf I haven't found any good use for discord myself either, so maybe not a big loss, but that probably depends heavily on the person and their interests, social circles, etc. Thanks for reporting, guess I'll add a mention of this happening to the README as well, in case it might help someone to decide whether to use third-party client or maybe stay away from those and/or discord altogether.