If you use Discord, beware: Your activity—in both public messages and voice channels—might have been scraped and sold online for as little as $5.
404Media initially broke the story, reporting that an online service called Spy Pet was scraping over 10,000 servers throughout Discord. The massive amount of data accumulated from this activity is being used for multiple purposes: Spy Pet is selling it for as cheap as $5 via cryptocurrency (including Bitcoin, Ethereum, or Monero) for anyone who wants it, but especially for those in law enforcement as well as organizations looking to train AI systems.
According to the report, Spy Pet essentially turns Discord’s fragmented platform, where users can post on thousands of servers of their choosing, into an easy way to target one user’s activity. Anyone who pays can decide to see what you posted where in one convenient location. In short, it’s not good.
404Media tested out Spy Pet, and found it works as advertised. While the outlet cannot confirm Spy Pet’s claims of having the data of over 14,000 servers, 600 million users, and 3 billion messages, it was able to successfully purchase data from the service. Apparently, you can look up a specific user for about 10 cents. (I guess that’s all we’re worth.)
Spy Pet has data from a variety of different servers, from gaming communities like Minecraft, Among Us, and Runescape-themed services, to servers concerning cryptocurrency. That said, 404Media reports that many of the tens of thousands of servers listed here don’t have any data at all, and don’t appear likely to be scraped.
A new problem for privacy on the internet
This is obviously a massive breach of user privacy, but it’s a complicated story. For one, Spy Pet doesn’t actually scrape direct messages: Your private messages between other Discord users are safe, it’s just the messages you’ve posted in the servers themselves.
Here’s where things get tricky: These messages aren’t necessarily private. Anyone who joins the server will be able to see everything you post, and could pull that data themselves. Theoretically, if someone was a part of every Discord server you were active in, they could perform their own Spy Pet scraping of sorts. It would be weird of them, but they could do it.
What Spy Pet is doing, of course, goes beyond that: They’re scraping so much data and making it possible to check out all your activity for a dime of crypto. Plus, they’re selling it to sources you never consented to. Law enforcement probably doesn’t care about your Discord activity, but you didn’t expect the cops to scrutinize your Minecraft memes. The same goes for AI companies: I wouldn’t want my Discord data being used to train AI models, even if these companies are running out of internet to train their systems on.
What you can do to protect your Discord data
Unfortunately, there’s not much to do about the data that’s already been scraped: Spy Pet doesn’t appear to have any interest in removing your data from its servers if it’s there.
However, going forward, keep an eye out for any bots that want to join your Discord channels. That’s how Spy Pet appears to have scraped all this data in the first place. It’s not always easy, as this Reddit thread explains: Some bots don’t advertise themselves as such, but will appear as new accounts with no identifying information or profile picture, and will silently stay in the channel to scrape data. Better safe than sorry: Boot fishy lurkers.
If you’re in control of the server, consider taking some privacy actions, like setting the server as private, or changing the verification settings for the server. These changes won’t guarantee privacy, but they’ll help keep bots away from your channels.
While it might not feel as public as something like Twitter, assume everything you post on Discord will be seen by anyone and everyone. That’s really a good rule of thumb for anything that isn’t end-to-end encrypted, but also, anything you post or send online at all. Even in the most secure of situations, nothing on the internet is foolproof, and someone, somewhere, may see what you said. If you join a Discord server, keep that in mind before you start typing away.