My discord account got hacked the other day. Apparently simply clicking on an invite link is enough ¯\_(ツ)_/¯

My friend DMed me an invite link to a relatively small server -- I can't remember the name but it was 'something hangout' -- so I joined. It didn't do anything on the first click but the 2nd let me into a server FULL of crypto scam messages. I left immediately and forgot about it, went to sleep a few hours after that.

The next morning I wake up to an email from discord: "Discord account disabled for suspicious activity." What? So I read it, then open discord. EVERY person on my friends list has been DMed the a crypto scam, pinged, and muted (so I don't get notifications from them ofc). Also my private test server had an @everyone with the same. C-tier hack ngl, I still had access to my account and it didn't do much. I stressfully speed through everything I know to do: reset discord password, reset gmail password, remove all authenticated bots on my account. I also enabled 2FA, which I hadn't done until then because I don't like having to go through an authenticator app every time (discord PLEASE just send me a code).

I researched a bit on the type of expoit that got me hacked, and it's actually kinda interesting. Hackers somehow hijack an expired invite link to steal your login token from your cookies or something. Ngl I think hijacking a dead link is clever yet easily preventable, but hey maybe discord should properly remove the invite embed from dead links lol.

This friend of mine who sent me the invite was apparently hacked too, hence why they sent it. As I was making sure my account was safe I noticed that they deleted the message, and after I was sure every scam message that was sent from my account was deleted, so was their account. I have no clue why the invite would be deleted unless they got their account back, but they wouldn't respond so idk