For those who are unaware, Discord's Zendesk instance was recently compromised. An employee was compromised, which led to everyone's support being being leaked.
Something interesting that came out of it was vx-underground's response. vx-underground is "The largest collection of malware source code, samples, and papers on the internet" according to their bio on X. They use a Discord account to communicate with anyone who wishes to message them.
After Discord's breach, vx-underground discovered that someone or a group of people had submitted 255,620 support requests on their behalf to Discord. Their alert email contained line after line of ticket numbers.
The vx-underground admin Discord account received a Discord 3rd party breach notification. I thought this was unusual because this account has nothing of value on it. It uses a generic vx-underground e-mail, it doesn't have access to anything, it doesn't have a credit card or
This makes it clear that a person can submit a Zendesk ticket using any email address - they could flood a company with support requests in an attempt to get you banned from the platform by submtting support tickets in your name. In the case above, it appears Discord did not act on the spam tickets, but who knows what other companies would do.
Most people use the same email address for every account, making it easy for threat actors to know your email once they find it in a breach. Businesses may also use an easy-to-guess or publicly-posted email address such as "info@company.com" for their social media accounts.
It's best to use a different email for every account. This can be done using a service like SimpleLogin or even Gmail by typing +anything before the @ sign. For example, if your email is jon.doe@gmail.com, you also have jon.doe+discord@gmail.com. Add a few random numbers, such as jon.doe+discord8734@gmail.com and you should be much more secure against attacks.
As the internet evolves, it is important to take precautions so we stay as secure as possible online. Thanks for reading.