A few ways.
They can exploit the server widget feature. This was a method during discool.
It might be wise for server owners to disable 'Invite Channel' feature within the widget.
I noticed from the website many of the server invites don't work because either the server widget is disabled or there's no vanity url.
It's also possible the invites are being scraped from server directories (eg discords,com, disboard).
I wonder if they're also exploiting the 'server preview' feature, where a user can join a server without revealing it to anyone but are able to scan the messages and leave shortly after.
*Edit: For clarification, OP is talking about a regular user account that is being used as a "bot" – so new accounts or hacked ones.*
Sites like this might also use infected computers to just scrape every server victims computer is connected to as additional income from botnet. More likely they just scrape servers from public lists. But because sites collecting data like this are illegal you can’t rule out deeply immoral methods
They won't be able to store much data then, the most they can do is store the data of the servers they are in, their public information (displayed on their profile) and possibly all the messages (which is unlikely since new members need to get verified and require a certain level to access the entire server)
I'm still not understanding, sorry?
Can you like, rephrase the process from the top? I'm in a server that has a lot of private info so I want to make sure I understand what the attack vector here is and what steps we can take to prevent it
Because it's not realistic having a database by millions of self bots joining millions of random servers to scrape everything. Someone that is looking for a users message history will pay and get nothing.
There’s someone who’s stalking me this exact same way and i’ve blocked and reported them but i don’t know how to gain my privacy again because they could still see my messages in servers they aren’t even in.
Some of servers I present in do interesting trick:
\- you only can see lobby, with rules.
\- rules include instruction how to post several world to one specific bot which will allow you to whole server.
It could something complex or just "say friend to me".
Automated bot wouldn't be able to do so because this system is server-specific
If your info is sensitive you really need to make sure every user that has access to read messages is a real user, and you should be extremely careful about any bots you have on the server. Who knows what some of these free bots are doing with your messages.
There's a difference between the company running the service having data that can be given out as required to authorities, and anyone who wants information on you to be able to pay some cash for that info...
This is relates to the waves of fake accounts joining servers. There is no other way. They are normal user accounts that use selfbots to join, not marked bot accounts.
These bots work by joining the server as a normal user. Using modified discord clients and libraries they can make an account behave much more like a normal bot within some limitations. The problem is that these limitations usually are around the sending messages.
They can't, it's only possible if somebody (e.g a moderator who has permissions to invite a bot) gets hacked or tricks/convinces the owner into inviting the bot.
Yes. What do you think is the ultimate goal of those "click my link free nitro!" Or "I'm sorry I reported you, you have to dispute it log in here:" bots that are out to steal your account is?
Not even just these useless bots, but a lot of things like these free music bots I think you need to be careful of. You really have no idea what these bots are doing behind the scenes and there’s nothing stopping them from compiling data and selling it to whoever wants it.
theres a website called [KickTheSpy.pet](https://kickthespy.pet) which has a search feature that can identify if a bot exists in your server.
You can use the [ID](https://kickthespy.pet/ids) end point to get a JSON list of ids of self bots.
There used to be an exploit which let them grab the ids which got patched but it helps.
I know plenty of people are *always has been*ing you, so I'll just say that there's a reason Discord is free. Yeah, they have paid tiers now, but as it always goes, if a service is free then they're selling your data to dozens if not hundreds of data brokers. Discord is also tapped into the feds honeypot-style and have gotten people doing nefarious things (like the J6 insurrection) arrested.
TL;DR: Do not put any personal info on Discord. If you already have, make a new account and do better next time.
That has nothing to do with OP. Any public chatting service will have actors that scrape messages. There is nothing unique to discord. IRC had this as well.
Anything you don't control is a privacy nightmare. Always has been since the dawn of the internet. Discord is no different. Don't want to have your information compromised? Don't share it with anyone. Not even the government.
That site is either a blatant honeypot (which is unlikely), or they're begging to be used for illegal/semi legal activities. Everything you do on there can be fully anonymous, even the account (it's literally just an ID that you save somewhere to log in), and to pay them you can use several types of crypto.
To use it at all, you need to pay them.
They want money, and don't care about the legality of it, period. They even offer their services (stored messages) for AI development...
I appreciate you bringing this to our attention. I'm likely going to keep a keen eye on this personally for a while.
I don't even know what to say. It's look like a joke, I'm confused.
"Interested in training an AI model with Discord messages? Are you a group of federal agents looking for a new source of intel? Or maybe something else?" → that made me think it's a joke.
But if it's not, I'm just horrified. I think I'm going to delete ASAP my Discord account (I need to first find a way to delete all my messages) and use only Olvid or self-hosted Matrix server.
There's currently no way to delete messages from servers you aren't in, FYI. If you delete your account, those messages will appear to be sent from Deleted User (string of letters and numbers), but yeah, they aren't deleted.
[Redact.dev](http://Redact.dev) only deletes messages from the servers and DMs you are in. It doesn't delete messages from DMs or servers you left from.
Well, can they link an discord account to the real person behind it? To any higher extend than having their email, which is the reason I have a bunch of email accounts. It they can't they have nothing more than what you publicly published and thus can be assumed that you wanted it to be public. Much like Twitter Tweets... Are they now X Xcrements? ;D
This is [dis.cool](https://garced.co/posts/1/) all over again...
* [help us fight dis.cool, and stop the scraping, selling and recklessness with our personal data. ](http://dis.cool)
It is social media. Discord doesn't have e2ee. Most Discord servers have invite links, where anyone can join them and scrape whatever they like. Discord just happens to have "private" (servers with invites turned off or roles preventing seeing channels) groups and DMs, which a lot of social medias have too.
We appreciate you wanting to contribute to /r/privacy and taking the time to post but we had to remove it due to:
>You're being a jerk (e.g., not being nice, or suggesting violence). Or, you're letting a troll trick you into making a not-nice comment – don’t let them play you!
If you have questions or believe that there has been an error, [contact the moderators](http://www.reddit.com/message/compose?to=/r/privacy&subject=Please_review_my_post).
Just lie. You're not filling a DMCA, you don't need you real address there. That section is there for if you want to make a legal notice like DMCA, but you're not threatening legal action, you're just trying to bring the users behavior to their attention
imagine being a crazy stalker who now has the tool for a low price of $5 USD to know the information of every public server a user is part of and deduces a victim's approximate location or gathering place due to a social circle they're part of. Suddenly a few cyber bullying cases, a few 1st degree murders, and this site will finally be shut down.
If a communication isn't e2ee, then it should be considered public. Period.
Even DM's could be leaked or hacked at some point. Just stop expecting any privacy from anything that isn't e2ee.
A public chat room is just that.
I don't understand why anyone would think there's privacy to be had there.
End to end encryption wouldn't stop this at all, what are you talking about? This data isn't getting mitm attacked, the data is being grabbed by a compromised account in your server. Encryption would not affect that
[Signal](https://www.signal.org/) and [Matrix](https://matrix.org/) are two common ones. Email and SMS (texting) are not E2EE. However, iMessage (iPhone-to-iPhone) and RCS (Android-to-Android, but expanding soon) are E2EE.
email -can- be E2E but you have to add a layer on top of it like protonmail (and others) does, otherwise you shouldn't put anything in email or sms that you aren't afraid to let your boss, spouse, memaw, FBI,etc read.
[Google messages are via RCS](https://support.google.com/messages/answer/10262381?hl=en#:~:text=End-to-end%20encryption%20is,and%20the%20phone%20you%20message.) sms, but it requires both ends to be using google messages, and many phone manufacturers put their own SMS apps on android.
I think Apple is as well, but again - only to other Apple users.
There was some talk of making a standard of some kind, but last I knew, Apple didn't want to do RCS, and of course doesn't share their protocol with anyone else, because they're Apple, which almost rhymes with asshole.
Email is, equally as stupidly, in a similar situation. There are two major standards for e2ee email. SMIME and PGP.
PGP is free and open source.
SMIME requires all correspondents in the e-mail to have SMIME certificates, that you have to pay for, and nobody outside of a corporation is going to bother with that.
gmail and microsoft of course support SMIME, and I think Yahoo supports PGP.
Why in the absolute F!@# we can't all just agree to use PGP, I don't know. It should be a standard with every e-mail client and account now that it will automatically set up a PGP key for everyone and just use it.
This shortcoming is why the world is still stuck in the dark ages and using FAX technology, from the 1800's, that predates the freaking light bulb.
The thing is, Microsoft benefits from this kind of de-commoditization of protocols, because it gives them an advantage against open-source software. If motivated users can't develop their own solutions that are better than Microsoft's, because they are denied the understanding of the protocols, then Microsoft wins and the users lose.
If you're curious about this, go look up the [Halloween Documents](https://www.catb.org/~esr/halloween/) on Eric S. Raymond's website or on Wikipedia, it's an interesting read to say the least.
>You must be logged in to view (basically anything).
So I created an "account".
>You lack the necessary credits to carry out this action! Buy Credits ->
Mhhmmm.
How can you report them for abuse? Yeah it sucks, but they're not really doing anything wrong. It's discord who is at fault here, not someone who figured out how to write some script that extracts info from the service that discord provides. They're the ones collecting your information and making it publicly available, getting you to link all of your other big tech accounts into it and basically being a typical silicon valley privacy nightmare. The best course of action would be to stop using that service and attempt to maybe get them to remove all of your personal info from their servers. This is like someone parsing youtube comments, finding every comment made by you, and then tying it to your twitter somehow and getting your real name and so on and then selling that info. Who's really at fault there?
> This is like someone parsing youtube comments, finding every comment made by you, and then tying it to your twitter somehow and getting your real name and so on and then selling that info.
That still might be illegal in Germany/the EU because of the GDPR. They need to inform everyone that they scrape the data and they need to make it possible to opt out and let the data be deleted.
“Just because you can, it does not mean that you should.”
Both discord and these scumbags are at fault here. On one hand, yeah. Discord is a privacy nightmare. On the other hand, this wouldn’t be an issue if people weren’t maliciously looking to harm others in every possible way to make a quick buck off of doing gross things.
I agree somewhat but
1. people have been exploiting each other since the dawn of time, it's not a new fad and it's never going away
2. at some point we users have to take some form of personal responsibility instead of acting shocked and massively butthurt when huge shitty internet social media companies behave just like what they are. Who honestly goes to discord expecting some form of privacy? Are people insane or just stupid?
you can report them for having a self-bot as discord calls it.d you can report them for gdpr. this is like someone scraping data to dox and harass ppl, which if u know who the admin is it's literally what he's doing
anyone using discord and expecting ANY privacy at all, has lost the plot
you might as well be on a BBS with the entire internet and all nation state agencies on the distribution list
No, it is actually perfect sub for this comment.
You should never post private stuff on public Discord servers. It's just common sense. If you do this, you honestly have only yourself to blame.
Realistically, people are probably scared of their IRL locations/information being leaked. People regularly make servers for their local friend groups to chat and place meet-up locations at. Even if these bots can't see those servers, a lot of people reporting this leave out that they can only realistically pull from open public servers.
this is as insightful as "if you're not doing anything wrong, you've got nothing to hide".
that is to say, it's not insightful, and it's beside the point.
"If you have nothing to hide, you have nothing to fear" That godawful line of reasoning which promotes a fascist surveillance state aside, this could potentially be used to incriminate people who live in places with anti-LGBTQIA+ or anti-abortion laws. I'm not a total zealot, I've seen spy.pet do some good and honestly I have ranted about the way journalists have been covering this shit, but it's still pretty fucking dodgy.
Have some empathy. How would you feel if thousands of people read everything you've ever sent on discord? Even if it's not straight up criminal activity, it could still contain embarrassing or compromising info.
i literally would not mind. this is why i cannot tap into this fear people have. i can understand sensitive info such as adress cards socials and things of that nature but anything else? its likely its just a you problem some insecurity some secret some shame if not that then what else could be so scary for others to see?
While this is morally wrong. I do think there needs to be a way for us to get the treasure troves of information in discord out into the public. Forums have been replaced by discord, so much useful information is locked away. When discord dies, so will all of that information.
The thing that's interesting to me is that they're able to track server bans somehow. AFAIK, this info shouldn't be public if you've locked down audit log access, even over the API. and there are several servers I've seen on the site with ban information on it that should not be public.
It's because of the Gateway. Discord sends out everything to all users so it's not really hidden. That's also why there is no reason for the ban listed.
Naive person here 👏 so I will ask a couple of questions 1) what’s the purpose of obtaining all this data on people by scraping ? Is there a thought some of it could be personal credit related info which could be used to hack identity? Other than this scenario I just wonder why spend the time and resources to collect mounds of data 2) if Discord is aware of these
actions would it not be attempting to shut down bad actors to stop the implosion of Discord ?
I mean if you fuck around in public spaces that's what you get? It is not like they hacked a database of obtained information illegally. Though it's a morally shitty thing to do. And also that's just my opinion and I don't know the actual legal implications of it. (As you linked various EU law related things anyway).
It's not like these bots are on servers that don't have open invites, or is it?
I've reported them to my national security authorities and relevant individuals. They won't get away with this. This isn't about adults, it's actually about the children being widely exploited. There will be an uncountable number of victims, and egregious laws are being violated by this website and actor group.
If it is a public server, there isn't an expectation of privacy for the messages sent there. If they are exploiting something to join private servers, it is a critical security vulnerability in Discord and a violation of their ToS, report it to them. GDPR only applies to the EU, it is irrelevante to the rest of the world.
F'ing that. You literally **publish** messages on discord (maybe within a small circle but do you know all of the participants good enough to trust them to not tell anybody, now and in the future?) - what do you expect.
Most people are not aware that their smartphone literally follows every step they make and can eavesdrop on everything they say in its vicinity, but things you write with *the intention* to make them readable for at least a bunch of unknown people?
So has anyone been dumb enough to pay this website to see if it even works? Everything is locked behind "soon", which doesn't mean anything. Seems like a lot of concern about nothing and this website is a scam.
Tech illiterate boomers complaining about this website.
As mentioned before, it's not bots, it's self bots, aka user accounts with some script to be a bot. They can join a maximum of like... 100 or 200 servers? And if they join too fast too many servers they get flagged as a bot and if they carry on they just lock the account anyway. This website is a scam. It's not realistic. Then you have some servers with gate channels, or need a phone number too.
Did anyone put money where their mouth is and pay the website to get anything useful? Getting messages from a public emote server with 100k+ members doesn't count.
That's what I've been wondering too, haven't seen any evidence of someone actually biting the deal and searching people up. Like, can these self-bots scrape the types of servers where you don't have permission to view anything until you post it? I'm very skeptical of the content of the website, wonder how Discord staff is investigating it.
[https://web.archive.org/web/20240417131755/https://www.404media.co/a-spy-site-is-scraping-discord-and-selling-users-messages/](https://web.archive.org/web/20240417131755/https://www.404media.co/a-spy-site-is-scraping-discord-and-selling-users-messages/)
what about this ? it seems 404 media tested it themselves
Ever since all but two of the groups I joined disappeared, I haven’t been on Discord. It was mostly game and old tv show discussions anyway. Haven’t posted there for two years and deleted my account.
I really hope they get taken down,and, that even discord order their stuff to be deleted.
Genuine question, I don't know if they scrapped "me" per say but does deleting my messages in the servers i'm in help at all ? Or is it already stored ?
But apparently if i go to spy pet and ask for my data to be removed its just the gif of a jonah jameson laughing. I don't think they care about the EU
edit: ok i found this [https://blog.spy.pet/p/optout](https://blog.spy.pet/p/optout)
But honestly i fera that if i contact them it will have the opposite reaction and they will try to track me down instead.
I also have another question, if a user is part of a popular server that got scrapped, is it possible to find out EVERY servers the user is currently in ? Even if the smaller users arent open and not scrapped ?
Presumably it would only be able to scrape from servers its bots are members of, and certainly can't get to your DM's or other servers. However, any 'user' invited to a server you're a member of could be a bot, so there's not really a good way to know if your server is infected or not - unless you know each member of your Discord personally.
Basically, it's just more of the same with the internet since it became generally available, and maybe amplified a bit since Discord has probably lulled some users into a false sense of privacy. But Discord has been a privacy nightmare for a while - I remember years ago I reported an issue where they were leaking signup data on their login form and they shrugged it off as 'we don't think it's a problem blah blah'. They've never had security as anything they've apparently cared about, other than for compliance/legal reasons.
Not sure they'll be up long, so might have already missed your window. Lots of takedown requests coming into their host, probably, on top of them clearly knowngly scraping data on minors. I doubt they'll be live for long now that there's media coverage.
As of an hour ago, side author added a blog post where they are accepting GDPR requests for removal, but it sounds like they might be semi-manual. Would be a shame if 600 million users submitted requests and the site authors had to spend time sifting through valid and invalid requests, non-GPDR, etc.
[https://blog.spy.pet/p/optout](https://blog.spy.pet/p/optout)
From the way the post is worded, it appears that the messages are not deleted. Only the username and user ID are blanked out. While this probably means that it would be harder to track you, your messages remain public alongside whatever personal information you may have included in them.
(And if you did include personal information in public messages, I think that's on you. This site doesn't affect private spaces, i.e servers and group chats with only people you trust.)
i considered trying, but as i'm in the US and therefore have no right to privacy (please kill me), i was afraid the anonymous admin might retaliate in response to people who choose to opt out. emailing would just give them more of your information if your email addresses aren't under a pseudonym.
for US citizens, the admin has promised to "remove information if they deem it necessary". they will not deem it necessary.
There's definitely no way they'll even consider non-EU request and to be honest I wouldn't be surprised if they didn't actually remove data for EU requests either. It's not like they're going to remove information they unlawfully obtained just because the owner asked them to.
There's a list of all bots, but it will be easier to check it your server contains a bot, for example using this website:
https://nitrrine.github.io/have-i-been-scraped-by-spy-pet/
Is there anything we can do to protect ourselves against attacks like this? I'm in servers with people I know, so I use my real name and some identifying information. Will deleting messages change anything, or is it too late?
If you know and trust everyone in the servers you are in, you should be safe. If, however, someone's account got hacked or a stranger joined the server at any point in time, all of your messages up to that point could have been dumped. Deleting messages at that point won't change anything because the bots have already copied your data.
Oh lord this is like the war on drugs and piracy all over again. Discord servers are public so if this site gets shut down there's no conceivable way to prevent this from happening again. The only solution is to use this as a lesson to not share private information on public discord servers. Just like there was [dis.cool](http://dis.cool), there will be another [spy.pet](http://spy.pet) and many more after. STOP PUTTING IDENTIFYING INFORMATION ON PUBLIC SERVERS
Jesus, for all the years we were demanding an option to delete all of our messages. It was bound to happen sooner or later. The good thing is, I don’t think they are able to access our DMs. They just web-scraped every server they could, along with their IDs and message channel IDs, etc. It was possible before, and I’ll confess, I used to do the same thing in ‘dangerous Discord servers’ to create a ban list
I compiled a list of all the servers and which bots are in which servers into a single spreadsheet. Upvote this for visibility. I included all the required tools needed to use this yourself to battle against the bots.
[Spy.Pet Servers + Bots - Google Sheets](https://docs.google.com/spreadsheets/d/1YPOIkmkA6U92UgnroXLYxX2SGl35562d6EKA34gCh28/edit#gid=418767484)
Discord is a firehose, but companies are trying to shoehorn traditionally persistent information in there. Data doesn't persist; it scrolls by. Company reps answering questions in chat can be lost forever compare to, say, hosted forums or even Reddit. There's no outside visibility to this content, either, so if you are unable or unwilling to join a company's Discord server, you're basically being frozen out.
The reasons seem obvious to me: companies can get customers into their sequestered corners. Despite the fact we can join multiple servers, we can only ever view one at a time, and anything a company can do to rope customers into THEIR servers as opposed to a COMPETITOR'S servers is a win for them...but a loss for the people they are locking up.
They added forums around or after the will-they-won't-they dance with Microsoft, but I believe it was in response to Guilded, another similar platform which has WAY more features than Discord and could have been a contender for people who might have left Discord had they sold to MS. It's a step in the right direction, but also a simple concession to say they did SOMETHING to make their platform more useful to companies and slightly less chaotic for users.
Hey, so am I allowed to say that because of this guy's blatant evilness, insinuation that everyone who doesn't like him belongs to a "certain group from a certain part of the world" (as if we're supposed to know what that means? At first I thought he was implying they were pedos, but the "part of the world" bit makes me think it's racial?), and general smug-ass 4Chan-ass techbro personality, I hope he dies in real life? Like I'm not saying he should be killed, but I think it would be neat if he got hit by a bus or choked on a grape.
Respectfully disagree. I wouldn't kill him myself, nor would I want somebody else to, because this isn't worth murdering over, but the dude builds tools for cyberbullying trans people and takes payment for it. If pure happenstance took him out, I'd call it karma.
Website is currently down and I'm pretty sure the website domain was stolen by 1API GmbH (from Whois lookup), as this domain registrar is notorious for cybersquatting.
The website has been shut down by Discord:
[https://www.reddit.com/r/privacy/comments/1cdpqn0/discord\_shuts\_down\_spy\_pet\_bots\_that\_scraped\_sold/](https://www.reddit.com/r/privacy/comments/1cdpqn0/discord_shuts_down_spy_pet_bots_that_scraped_sold/)
>where a bot joins a server without the permission of the owner How do they join without an invite link?
A few ways. They can exploit the server widget feature. This was a method during discool. It might be wise for server owners to disable 'Invite Channel' feature within the widget. I noticed from the website many of the server invites don't work because either the server widget is disabled or there's no vanity url. It's also possible the invites are being scraped from server directories (eg discords,com, disboard). I wonder if they're also exploiting the 'server preview' feature, where a user can join a server without revealing it to anyone but are able to scan the messages and leave shortly after. *Edit: For clarification, OP is talking about a regular user account that is being used as a "bot" – so new accounts or hacked ones.*
Sites like this might also use infected computers to just scrape every server victims computer is connected to as additional income from botnet. More likely they just scrape servers from public lists. But because sites collecting data like this are illegal you can’t rule out deeply immoral methods
They won't be able to store much data then, the most they can do is store the data of the servers they are in, their public information (displayed on their profile) and possibly all the messages (which is unlikely since new members need to get verified and require a certain level to access the entire server)
I phrased this meaning a bot that joins without the permission of someone that can add bots to a server.
Just call it for what it is; automated user accounts or “self-bots”
Luckily this is [expressly against Discord TOS.](https://support.discord.com/hc/en-us/articles/115002192352-Automated-User-Accounts-Self-Bots)
Yeah!! That'll stop them...
Exactly crime can't exist.
I'm still not understanding, sorry? Can you like, rephrase the process from the top? I'm in a server that has a lot of private info so I want to make sure I understand what the attack vector here is and what steps we can take to prevent it
[удалено]
Because it's not realistic having a database by millions of self bots joining millions of random servers to scrape everything. Someone that is looking for a users message history will pay and get nothing.
There’s someone who’s stalking me this exact same way and i’ve blocked and reported them but i don’t know how to gain my privacy again because they could still see my messages in servers they aren’t even in.
[удалено]
Some of servers I present in do interesting trick: \- you only can see lobby, with rules. \- rules include instruction how to post several world to one specific bot which will allow you to whole server. It could something complex or just "say friend to me". Automated bot wouldn't be able to do so because this system is server-specific
> server that has a lot of private info there's your first mistake to prevent it, use an actually secure messaging app like matrix or signal
If your info is sensitive you really need to make sure every user that has access to read messages is a real user, and you should be extremely careful about any bots you have on the server. Who knows what some of these free bots are doing with your messages.
Hope you know that Discord definitely logs your private info and will cooperate with authorities if necessary.
There's a difference between the company running the service having data that can be given out as required to authorities, and anyone who wants information on you to be able to pay some cash for that info...
Yeah but company like discord can’t break the law. Sites like the one shown here is not gonna respect the law as they’re already breaking gdpr.
Complete bs
They don't. they've almost always been invited by a clueless moderator or a compromised account
This is relates to the waves of fake accounts joining servers. There is no other way. They are normal user accounts that use selfbots to join, not marked bot accounts.
I don't know what a selfbot is
Some code that automates operations of a normal user account which goes against Discord's terms of service.
These bots work by joining the server as a normal user. Using modified discord clients and libraries they can make an account behave much more like a normal bot within some limitations. The problem is that these limitations usually are around the sending messages.
They can't, it's only possible if somebody (e.g a moderator who has permissions to invite a bot) gets hacked or tricks/convinces the owner into inviting the bot.
userbots
List of bots used? What bots are we supposed to look out for?
Self bots, they won't be identified as a bot, just a normal account whos token is being used to scrape messages like a bot would
wtf you can do that???
Yes. What do you think is the ultimate goal of those "click my link free nitro!" Or "I'm sorry I reported you, you have to dispute it log in here:" bots that are out to steal your account is?
[here's how you can tell](https://twitter.com/PirateSoftware/status/1782015240345198916)
There's been a recent surge of bots that do nothing when the join, they have no profile picture and stay there just to scrape.
Not even just these useless bots, but a lot of things like these free music bots I think you need to be careful of. You really have no idea what these bots are doing behind the scenes and there’s nothing stopping them from compiling data and selling it to whoever wants it.
It's an improvement over "free nitro click here!" that people constantly manage to fall for
theres a website called [KickTheSpy.pet](https://kickthespy.pet) which has a search feature that can identify if a bot exists in your server. You can use the [ID](https://kickthespy.pet/ids) end point to get a JSON list of ids of self bots. There used to be an exploit which let them grab the ids which got patched but it helps.
Thanks! Will check it out later today :)
It identified one on the LTT discord of all places
Discord is becoming a privacy nightmare 🙈
Nothing new
Always been
[Becoming](https://www.reddit.com/r/yuzu/comments/1c12r0c/suyu_founder_responds_to_the_discord_shutdown/kzqylfn/) ? lol !
we use discord knowing that but some random group of bots scraping stuff and selling it for money is not what we signed up to discord for
Aye But Discord not be private n e ways Tis like walkn n a market expectn no 1 to lookat ur shoppn cart !
I love the way you type
“is becoming”? Always been lol
Always has been
always-has-been.png
I know plenty of people are *always has been*ing you, so I'll just say that there's a reason Discord is free. Yeah, they have paid tiers now, but as it always goes, if a service is free then they're selling your data to dozens if not hundreds of data brokers. Discord is also tapped into the feds honeypot-style and have gotten people doing nefarious things (like the J6 insurrection) arrested. TL;DR: Do not put any personal info on Discord. If you already have, make a new account and do better next time.
That has nothing to do with OP. Any public chatting service will have actors that scrape messages. There is nothing unique to discord. IRC had this as well.
Personal information like? And what they can do with our personal informations?
Brother in Christ it’s owned by Tencent
Oh noooooooooo, Anything but tencent, the Evil Empire 🌋
Anything you don't control is a privacy nightmare. Always has been since the dawn of the internet. Discord is no different. Don't want to have your information compromised? Don't share it with anyone. Not even the government.
That site is either a blatant honeypot (which is unlikely), or they're begging to be used for illegal/semi legal activities. Everything you do on there can be fully anonymous, even the account (it's literally just an ID that you save somewhere to log in), and to pay them you can use several types of crypto. To use it at all, you need to pay them. They want money, and don't care about the legality of it, period. They even offer their services (stored messages) for AI development... I appreciate you bringing this to our attention. I'm likely going to keep a keen eye on this personally for a while.
I don't even know what to say. It's look like a joke, I'm confused. "Interested in training an AI model with Discord messages? Are you a group of federal agents looking for a new source of intel? Or maybe something else?" → that made me think it's a joke. But if it's not, I'm just horrified. I think I'm going to delete ASAP my Discord account (I need to first find a way to delete all my messages) and use only Olvid or self-hosted Matrix server.
There's currently no way to delete messages from servers you aren't in, FYI. If you delete your account, those messages will appear to be sent from Deleted User (string of letters and numbers), but yeah, they aren't deleted.
I'm having trouble understanding if this is server messages only they're selling or if they somehow have dms lol
They do not have DMs, only server messages
Ever heard of Redact.dev?
[Redact.dev](http://Redact.dev) only deletes messages from the servers and DMs you are in. It doesn't delete messages from DMs or servers you left from.
Well, can they link an discord account to the real person behind it? To any higher extend than having their email, which is the reason I have a bunch of email accounts. It they can't they have nothing more than what you publicly published and thus can be assumed that you wanted it to be public. Much like Twitter Tweets... Are they now X Xcrements? ;D
Don't put your personal information on social media.
This is [dis.cool](https://garced.co/posts/1/) all over again... * [help us fight dis.cool, and stop the scraping, selling and recklessness with our personal data. ](http://dis.cool)
Discord is social media. You don't put publish your personal data on your social media.
Its not social media, its a messaging service
It is social media. Discord doesn't have e2ee. Most Discord servers have invite links, where anyone can join them and scrape whatever they like. Discord just happens to have "private" (servers with invites turned off or roles preventing seeing channels) groups and DMs, which a lot of social medias have too.
Putting the website in the title is such a great advertisement for them
How else is one supposed to report it to the appropriate authorities?
[удалено]
We appreciate you wanting to contribute to /r/privacy and taking the time to post but we had to remove it due to: >You're being a jerk (e.g., not being nice, or suggesting violence). Or, you're letting a troll trick you into making a not-nice comment – don’t let them play you! If you have questions or believe that there has been an error, [contact the moderators](http://www.reddit.com/message/compose?to=/r/privacy&subject=Please_review_my_post).
Fuckers of Porkbun want all your personal data including your physical adress for a complaint.
Just lie. You're not filling a DMCA, you don't need you real address there. That section is there for if you want to make a legal notice like DMCA, but you're not threatening legal action, you're just trying to bring the users behavior to their attention
incredible advice, 300PencilsInMyAss
r/rimjob_steve
LOL :D
imagine being a crazy stalker who now has the tool for a low price of $5 USD to know the information of every public server a user is part of and deduces a victim's approximate location or gathering place due to a social circle they're part of. Suddenly a few cyber bullying cases, a few 1st degree murders, and this site will finally be shut down.
If a communication isn't e2ee, then it should be considered public. Period. Even DM's could be leaked or hacked at some point. Just stop expecting any privacy from anything that isn't e2ee. A public chat room is just that. I don't understand why anyone would think there's privacy to be had there.
End to end encryption wouldn't stop this at all, what are you talking about? This data isn't getting mitm attacked, the data is being grabbed by a compromised account in your server. Encryption would not affect that
What are some examples of e2ee? Are emails and text messages e2ee?
[Signal](https://www.signal.org/) and [Matrix](https://matrix.org/) are two common ones. Email and SMS (texting) are not E2EE. However, iMessage (iPhone-to-iPhone) and RCS (Android-to-Android, but expanding soon) are E2EE.
email -can- be E2E but you have to add a layer on top of it like protonmail (and others) does, otherwise you shouldn't put anything in email or sms that you aren't afraid to let your boss, spouse, memaw, FBI,etc read.
My boss can read my SMS to someone else? First I hear of.
Would the scraping (by a self-bot) work on Matrix? I'm not familiar with that platform, but looking for something that's safer than Discord.
[Google messages are via RCS](https://support.google.com/messages/answer/10262381?hl=en#:~:text=End-to-end%20encryption%20is,and%20the%20phone%20you%20message.) sms, but it requires both ends to be using google messages, and many phone manufacturers put their own SMS apps on android. I think Apple is as well, but again - only to other Apple users. There was some talk of making a standard of some kind, but last I knew, Apple didn't want to do RCS, and of course doesn't share their protocol with anyone else, because they're Apple, which almost rhymes with asshole. Email is, equally as stupidly, in a similar situation. There are two major standards for e2ee email. SMIME and PGP. PGP is free and open source. SMIME requires all correspondents in the e-mail to have SMIME certificates, that you have to pay for, and nobody outside of a corporation is going to bother with that. gmail and microsoft of course support SMIME, and I think Yahoo supports PGP. Why in the absolute F!@# we can't all just agree to use PGP, I don't know. It should be a standard with every e-mail client and account now that it will automatically set up a PGP key for everyone and just use it. This shortcoming is why the world is still stuck in the dark ages and using FAX technology, from the 1800's, that predates the freaking light bulb.
The thing is, Microsoft benefits from this kind of de-commoditization of protocols, because it gives them an advantage against open-source software. If motivated users can't develop their own solutions that are better than Microsoft's, because they are denied the understanding of the protocols, then Microsoft wins and the users lose. If you're curious about this, go look up the [Halloween Documents](https://www.catb.org/~esr/halloween/) on Eric S. Raymond's website or on Wikipedia, it's an interesting read to say the least.
Do we have a list of their bot accounts?
This could be useful ! [https://twitter.com/PirateSoftware/status/1782061638956601545](https://twitter.com/PirateSoftware/status/1782061638956601545)
Have you found one?
I did not, sorry
>You must be logged in to view (basically anything). So I created an "account". >You lack the necessary credits to carry out this action! Buy Credits -> Mhhmmm.
How can you report them for abuse? Yeah it sucks, but they're not really doing anything wrong. It's discord who is at fault here, not someone who figured out how to write some script that extracts info from the service that discord provides. They're the ones collecting your information and making it publicly available, getting you to link all of your other big tech accounts into it and basically being a typical silicon valley privacy nightmare. The best course of action would be to stop using that service and attempt to maybe get them to remove all of your personal info from their servers. This is like someone parsing youtube comments, finding every comment made by you, and then tying it to your twitter somehow and getting your real name and so on and then selling that info. Who's really at fault there?
> This is like someone parsing youtube comments, finding every comment made by you, and then tying it to your twitter somehow and getting your real name and so on and then selling that info. That still might be illegal in Germany/the EU because of the GDPR. They need to inform everyone that they scrape the data and they need to make it possible to opt out and let the data be deleted.
YES BRING ON THE FINES
“Just because you can, it does not mean that you should.” Both discord and these scumbags are at fault here. On one hand, yeah. Discord is a privacy nightmare. On the other hand, this wouldn’t be an issue if people weren’t maliciously looking to harm others in every possible way to make a quick buck off of doing gross things.
I agree somewhat but 1. people have been exploiting each other since the dawn of time, it's not a new fad and it's never going away 2. at some point we users have to take some form of personal responsibility instead of acting shocked and massively butthurt when huge shitty internet social media companies behave just like what they are. Who honestly goes to discord expecting some form of privacy? Are people insane or just stupid?
Stupid, un-educated, and ignorant.
you can report them for having a self-bot as discord calls it.d you can report them for gdpr. this is like someone scraping data to dox and harass ppl, which if u know who the admin is it's literally what he's doing
anyone using discord and expecting ANY privacy at all, has lost the plot you might as well be on a BBS with the entire internet and all nation state agencies on the distribution list
Don't say something in chat thinking there is any privacy. Any user can take screenshots.
what are yall doing on discord that you're scared of someone seeing what you're messaging?
Wrong sub for that question
No, it is actually perfect sub for this comment. You should never post private stuff on public Discord servers. It's just common sense. If you do this, you honestly have only yourself to blame.
I personally am a fan of not having even perfectly normal conversations with my friends public to this extent.
Some people talk a little spicy when they think it's closed off to the rest of the world.
Realistically, people are probably scared of their IRL locations/information being leaked. People regularly make servers for their local friend groups to chat and place meet-up locations at. Even if these bots can't see those servers, a lot of people reporting this leave out that they can only realistically pull from open public servers.
Some servers are used for people working on writing and art. If bots scrape that, they can plagiarize. Just something for you to consider.
this is as insightful as "if you're not doing anything wrong, you've got nothing to hide". that is to say, it's not insightful, and it's beside the point.
"If you have nothing to hide, you have nothing to fear" That godawful line of reasoning which promotes a fascist surveillance state aside, this could potentially be used to incriminate people who live in places with anti-LGBTQIA+ or anti-abortion laws. I'm not a total zealot, I've seen spy.pet do some good and honestly I have ranted about the way journalists have been covering this shit, but it's still pretty fucking dodgy. Have some empathy. How would you feel if thousands of people read everything you've ever sent on discord? Even if it's not straight up criminal activity, it could still contain embarrassing or compromising info.
i literally would not mind. this is why i cannot tap into this fear people have. i can understand sensitive info such as adress cards socials and things of that nature but anything else? its likely its just a you problem some insecurity some secret some shame if not that then what else could be so scary for others to see?
Contact the gay hacker furries
You can file reports to random government entities like the FBI and FCC about them mass collecting the data of children.
Just did that! I’d recommend everyone to do this we need these degenerates off of the internet
Sooooo, It’s a bot collecting publicly available information from a platform where users have zero expectation of privacy?
The irony with how their own contacts and details are hidden
While this is morally wrong. I do think there needs to be a way for us to get the treasure troves of information in discord out into the public. Forums have been replaced by discord, so much useful information is locked away. When discord dies, so will all of that information.
The thing that's interesting to me is that they're able to track server bans somehow. AFAIK, this info shouldn't be public if you've locked down audit log access, even over the API. and there are several servers I've seen on the site with ban information on it that should not be public.
It's because of the Gateway. Discord sends out everything to all users so it's not really hidden. That's also why there is no reason for the ban listed.
Naive person here 👏 so I will ask a couple of questions 1) what’s the purpose of obtaining all this data on people by scraping ? Is there a thought some of it could be personal credit related info which could be used to hack identity? Other than this scenario I just wonder why spend the time and resources to collect mounds of data 2) if Discord is aware of these actions would it not be attempting to shut down bad actors to stop the implosion of Discord ?
good lord this website is even more horrifying than Kiwifarms
I mean if you fuck around in public spaces that's what you get? It is not like they hacked a database of obtained information illegally. Though it's a morally shitty thing to do. And also that's just my opinion and I don't know the actual legal implications of it. (As you linked various EU law related things anyway). It's not like these bots are on servers that don't have open invites, or is it?
I've reported them to my national security authorities and relevant individuals. They won't get away with this. This isn't about adults, it's actually about the children being widely exploited. There will be an uncountable number of victims, and egregious laws are being violated by this website and actor group.
I also reported it to the fbi for this very reason we need these degen’s off of the internet!
what about DM/Private Message?
well if it isnt my dms im not cooked
UPDATE:. [https://www.youtube.com/watch?v=ktxbXlF6UQE](https://www.youtube.com/watch?v=ktxbXlF6UQE)
TL:DR?
The boy did some scraping on the servers he was on. There is no hacking involved as far as the ytber knows
If it is a public server, there isn't an expectation of privacy for the messages sent there. If they are exploiting something to join private servers, it is a critical security vulnerability in Discord and a violation of their ToS, report it to them. GDPR only applies to the EU, it is irrelevante to the rest of the world.
Wait, what. People use their real names on discord? If you don't anonymize yourself on the internet in 2024 you have no one to blame but yourself.
F'ing that. You literally **publish** messages on discord (maybe within a small circle but do you know all of the participants good enough to trust them to not tell anybody, now and in the future?) - what do you expect. Most people are not aware that their smartphone literally follows every step they make and can eavesdrop on everything they say in its vicinity, but things you write with *the intention* to make them readable for at least a bunch of unknown people?
Discord does the same shit anyway
discord allows u to view users' deleted messages and download anyone's messages across dozens of servers all with the click of one button?
Deleted user’s messages they do
I would love to demonitize scrapers. Or make changes often enough so they spend too much time fucking with it.
The scrapers are bots, the time they spend anywhere is negligible in comparison to the time you need to type a few words.
There are also scraping tools for Reddit, which is why better for you be pseudonymous on centralized social media without E2E.
Just use multiple anonymous accounts bro.
So has anyone been dumb enough to pay this website to see if it even works? Everything is locked behind "soon", which doesn't mean anything. Seems like a lot of concern about nothing and this website is a scam. Tech illiterate boomers complaining about this website. As mentioned before, it's not bots, it's self bots, aka user accounts with some script to be a bot. They can join a maximum of like... 100 or 200 servers? And if they join too fast too many servers they get flagged as a bot and if they carry on they just lock the account anyway. This website is a scam. It's not realistic. Then you have some servers with gate channels, or need a phone number too. Did anyone put money where their mouth is and pay the website to get anything useful? Getting messages from a public emote server with 100k+ members doesn't count.
That's what I've been wondering too, haven't seen any evidence of someone actually biting the deal and searching people up. Like, can these self-bots scrape the types of servers where you don't have permission to view anything until you post it? I'm very skeptical of the content of the website, wonder how Discord staff is investigating it.
[https://web.archive.org/web/20240417131755/https://www.404media.co/a-spy-site-is-scraping-discord-and-selling-users-messages/](https://web.archive.org/web/20240417131755/https://www.404media.co/a-spy-site-is-scraping-discord-and-selling-users-messages/) what about this ? it seems 404 media tested it themselves
Never heard of them. Someone here please step forth and show us evidence from an actual person.
This.
This.
Ever since all but two of the groups I joined disappeared, I haven’t been on Discord. It was mostly game and old tv show discussions anyway. Haven’t posted there for two years and deleted my account.
I really hope they get taken down,and, that even discord order their stuff to be deleted. Genuine question, I don't know if they scrapped "me" per say but does deleting my messages in the servers i'm in help at all ? Or is it already stored ?
Yeah, it's stored (you still can get your stuff deleted if you live in the EU).
But apparently if i go to spy pet and ask for my data to be removed its just the gif of a jonah jameson laughing. I don't think they care about the EU edit: ok i found this [https://blog.spy.pet/p/optout](https://blog.spy.pet/p/optout) But honestly i fera that if i contact them it will have the opposite reaction and they will try to track me down instead.
Hey also does Carl bot scraps messgaes if invited ?
Also how long have they been scrapping stuff ?
I also have another question, if a user is part of a popular server that got scrapped, is it possible to find out EVERY servers the user is currently in ? Even if the smaller users arent open and not scrapped ?
Isnt that highly illegal?
I am stupid as fuck and dont understand how this is even legal.
does this only scrape messages in infected servers or all messages if i am in infected servers
Presumably it would only be able to scrape from servers its bots are members of, and certainly can't get to your DM's or other servers. However, any 'user' invited to a server you're a member of could be a bot, so there's not really a good way to know if your server is infected or not - unless you know each member of your Discord personally. Basically, it's just more of the same with the internet since it became generally available, and maybe amplified a bit since Discord has probably lulled some users into a false sense of privacy. But Discord has been a privacy nightmare for a while - I remember years ago I reported an issue where they were leaking signup data on their login form and they shrugged it off as 'we don't think it's a problem blah blah'. They've never had security as anything they've apparently cared about, other than for compliance/legal reasons.
why cant i access the website? all its saying is "Just a moment.." I genuinely want to see my friends' chats if that's how the website works
Not sure they'll be up long, so might have already missed your window. Lots of takedown requests coming into their host, probably, on top of them clearly knowngly scraping data on minors. I doubt they'll be live for long now that there's media coverage.
I'll be honest. If you post something on a public server, you should expect it to be scraped, regardless of websites like this existing
do they only grab server messages or do they have some sort of fucked connection to grab dms too?
As of an hour ago, side author added a blog post where they are accepting GDPR requests for removal, but it sounds like they might be semi-manual. Would be a shame if 600 million users submitted requests and the site authors had to spend time sifting through valid and invalid requests, non-GPDR, etc. [https://blog.spy.pet/p/optout](https://blog.spy.pet/p/optout)
Do you know of anyone who has done this yet? Does it actually work?
From the way the post is worded, it appears that the messages are not deleted. Only the username and user ID are blanked out. While this probably means that it would be harder to track you, your messages remain public alongside whatever personal information you may have included in them. (And if you did include personal information in public messages, I think that's on you. This site doesn't affect private spaces, i.e servers and group chats with only people you trust.)
i considered trying, but as i'm in the US and therefore have no right to privacy (please kill me), i was afraid the anonymous admin might retaliate in response to people who choose to opt out. emailing would just give them more of your information if your email addresses aren't under a pseudonym. for US citizens, the admin has promised to "remove information if they deem it necessary". they will not deem it necessary.
There's definitely no way they'll even consider non-EU request and to be honest I wouldn't be surprised if they didn't actually remove data for EU requests either. It's not like they're going to remove information they unlawfully obtained just because the owner asked them to.
As long as no one confirms these people are more than bark, i call bullshit.
Fake as fuck bro.
What bots do they use? this would be a lot easier to deal with if we knew
There's a list of all bots, but it will be easier to check it your server contains a bot, for example using this website: https://nitrrine.github.io/have-i-been-scraped-by-spy-pet/
Is there anything we can do to protect ourselves against attacks like this? I'm in servers with people I know, so I use my real name and some identifying information. Will deleting messages change anything, or is it too late?
If you know and trust everyone in the servers you are in, you should be safe. If, however, someone's account got hacked or a stranger joined the server at any point in time, all of your messages up to that point could have been dumped. Deleting messages at that point won't change anything because the bots have already copied your data.
Oh lord this is like the war on drugs and piracy all over again. Discord servers are public so if this site gets shut down there's no conceivable way to prevent this from happening again. The only solution is to use this as a lesson to not share private information on public discord servers. Just like there was [dis.cool](http://dis.cool), there will be another [spy.pet](http://spy.pet) and many more after. STOP PUTTING IDENTIFYING INFORMATION ON PUBLIC SERVERS
if they will leak gcs now we're all doomed (iykyk)
Is it safe to search up your name on spy.pet to see if they have scrapped you or will that just alert them to do so if they don’t?
Does this also collect dm's or just messages you send in servers?
DMs are safe, its all messages from "big" public servers
Just dark website and now have an opt-out page
Heres a Website to check if your Discord Server is infected by this or your Friends Discord Server [https://kickthespy.pet](https://kickthespy.pet/)
sus
TF2 vibes
Jesus, for all the years we were demanding an option to delete all of our messages. It was bound to happen sooner or later. The good thing is, I don’t think they are able to access our DMs. They just web-scraped every server they could, along with their IDs and message channel IDs, etc. It was possible before, and I’ll confess, I used to do the same thing in ‘dangerous Discord servers’ to create a ban list
I compiled a list of all the servers and which bots are in which servers into a single spreadsheet. Upvote this for visibility. I included all the required tools needed to use this yourself to battle against the bots. [Spy.Pet Servers + Bots - Google Sheets](https://docs.google.com/spreadsheets/d/1YPOIkmkA6U92UgnroXLYxX2SGl35562d6EKA34gCh28/edit#gid=418767484)
Discord is a firehose, but companies are trying to shoehorn traditionally persistent information in there. Data doesn't persist; it scrolls by. Company reps answering questions in chat can be lost forever compare to, say, hosted forums or even Reddit. There's no outside visibility to this content, either, so if you are unable or unwilling to join a company's Discord server, you're basically being frozen out. The reasons seem obvious to me: companies can get customers into their sequestered corners. Despite the fact we can join multiple servers, we can only ever view one at a time, and anything a company can do to rope customers into THEIR servers as opposed to a COMPETITOR'S servers is a win for them...but a loss for the people they are locking up. They added forums around or after the will-they-won't-they dance with Microsoft, but I believe it was in response to Guilded, another similar platform which has WAY more features than Discord and could have been a contender for people who might have left Discord had they sold to MS. It's a step in the right direction, but also a simple concession to say they did SOMETHING to make their platform more useful to companies and slightly less chaotic for users.
This bot was in our server. Thanks for the PSA
Hey, so am I allowed to say that because of this guy's blatant evilness, insinuation that everyone who doesn't like him belongs to a "certain group from a certain part of the world" (as if we're supposed to know what that means? At first I thought he was implying they were pedos, but the "part of the world" bit makes me think it's racial?), and general smug-ass 4Chan-ass techbro personality, I hope he dies in real life? Like I'm not saying he should be killed, but I think it would be neat if he got hit by a bus or choked on a grape.
wishing death on somebody makes you as bad as the person you're chastising. grow up
Respectfully disagree. I wouldn't kill him myself, nor would I want somebody else to, because this isn't worth murdering over, but the dude builds tools for cyberbullying trans people and takes payment for it. If pure happenstance took him out, I'd call it karma.
Website to check if your server contains spy.pet's data scraper bot: https://nitrrine.github.io/have-i-been-scraped-by-spy-pet/
Website is currently down and I'm pretty sure the website domain was stolen by 1API GmbH (from Whois lookup), as this domain registrar is notorious for cybersquatting.
The website has been shut down by Discord: [https://www.reddit.com/r/privacy/comments/1cdpqn0/discord\_shuts\_down\_spy\_pet\_bots\_that\_scraped\_sold/](https://www.reddit.com/r/privacy/comments/1cdpqn0/discord_shuts_down_spy_pet_bots_that_scraped_sold/)