Discord Is Threatening to Shutdown BotGhost
83 comments
·June 23, 2025nxrabl
rozab
Seems like this is it. They should have got Discord to revoke all the potentially affected tokens. Instead, they tried to hide it and Discord forced their hand.
I really dislike the way they try and play this down in the doc:
czk
I've often thought about the amount of data that these bot services must have access to (they could log millions of private channels), data thats silo'd away from search engines/indexers and could be pretty valuable to sell to someone training an AI model, or doing other things.
A while back there was a service called 'Spy Pet' that ran hundreds of discord bots selling access to searchable data logs. I wonder if discord is primarily concerned about the massive logging capability of services like these.
paxys
After Reddit's API shutdown the writing was on the wall. Services like Reddit and Discord are huge data troves, and now this data has a concrete $$ value. Offering unrestricted API access means that third parties will store and sell this data. So shutting them down (and monetizing your data yourself) is an obvious decision. Slack recently changed its ToS to disallow this as well - https://www.reuters.com/business/salesforce-blocks-ai-rivals....
haneul
Yea the data market from discord bots is quite a thing. Really concerning, imo.
fakedang
This isn't Discord doing this out of the goodness of their privacy-concerned hearts. They'll eventually try to do a Salesforce-Slack kind of play here by preventing external entities from monetizing on their platform.
Tech will turn into a casino where the house (aka the platform) always wins.
areyourllySorry
spy.pet used user accounts. botghost uses bot accounts, for which you need to enable certain intents in order to read messages.
ocdtrekkie
One of the things I found surprising is that many of Discord's bot permissions are not scoped to servers at all. I've been asked to authenticate with a bot service for one server numerous times that requests access to things pertaining to all servers I use, and that seems very wrong.
throwaway7679
There are lots of details about the technology, license agreements, service history, comparable platforms, and whatnot, which all form reasonable support for botghost.
None of that matters in the slightest. They're dealing with an indifferent, capricious, unaccountable company. And trying to do it without enough leverage to even get a response.
It seems like it's about to end the way it was always going to.
out-of-ideas
yup, agreed- worth going over the non tl;dr (sufficient to say the tl;dr misses some good juice, but thats what the page in full is for).
i was sorta curious on the policy changes over time, since botghost has been around since '18. all i can say is good luck to botgost
histories of policies-ish:
- from the tl;dr (they also explain #4 as well in the non-tl;dr):
> Discord issued a breach notice to BotGhost, claiming the platform violates Developer Policy 4 by handling bot tokens, which has been a core part of how BotGhost has worked since 2018.
- policy from discrap: https://support-dev.discord.com/hc/en-us/articles/8563934450...
> 4. Do not collect, solicit, or deceive users into providing passwords or other credentials. Under no circumstances may you or your Application request or attempt to obtain login credentials from Discord users. This includes information such as passwords or account access or login tokens.
- policy in 2022 (of that page, but note the random digits in the numbers make it terrible to easily see history), thanks archive.org!: https://web.archive.org/web/20221001073449/https://support-d...
> Do not collect, solicit, or deceive users into providing user login credentials. Under no circumstances may you or your Application solicit, obtain, or request login credentials from Discord users in any way. This includes information such as passwords or user access or login tokens.
- and archive.org of github of the before 2022 change (mentioned in the above archive) (does not really mention collecting of user auths - as per my quick glance [i welcome a double check]): https://web.archive.org/web/20220921062136/https://github.co...
edit: fix copy-pasta
throwaway7679
> NEITHER DISCORD NOR ITS AFFILIATES, SUPPLIERS, OR DISTRIBUTORS MAKE ANY SPECIFIC PROMISES ABOUT THE APIs, API DATA, DOCUMENTATION, OR ANY DISCORD SERVICES.
The existence of terms like this make any discussion of the other terms look pretty silly.
Their policy is simply that they do whatever they want, and that hasn't changed.
out-of-ideas
> Their policy is simply that they do whatever they want, and that hasn't changed.
yup! and don't forget they can change their policy whenever they want too
also they rank D on this site: https://tosdr.org/en/service/536
pavel_lishin
> If BotGhost is forced to shut down, your bot will stop working. Your settings, custom commands, custom events, market commands, market events and any work at all hosted on BotGhost will be lost. Because BotGhost does not produce code, there is no way for us to export your bot's configuration.
> BotGhost cannot export bot configurations due to its no-code structure. If shutdown happens, all bots and user data will be permanently lost.
I don't think I understand this part - what does the "no-code" mean in this context? How can this data not be stored somewhere for the service to function at all? Does this mean that BotGhost also has no backups, and a technical glitch could cause a similar problem?
teraflop
What they mean is "the 'no-code' logic for your bot is stored in a proprietary format that's only understood by our software, and we don't want to release our software publicly, nor do we want to document the format."
paxys
An end user creates an application in Discord. They create a bot within that application, and Discord generates a token for the bot. They then copy the token into BotGhost, and BotGhost "operates" the bot. The application itself is still owned by the user, and BotGhost has no access to it.
markasoftware
botghost should still theoretically be able to serialize and export the bot's logic
lsaferite
They could export a DSL that captures the workflow at least.
null
mslansn
If you care so much about the users as you say then you will release the code in a docker image so they can continue using your product.
areyourllySorry
their target audience does not know what a "docker" is, much less wants to lease a server for hosting
mslansn
You can teach someone how to rent a vps and run a docker image with one 10-minute youtube video. Then they can use the drag and drop editor and run the bot themselves. If they don’t want to pay for hosting that’s too bad. A vps to run a bot will cost a couple bucks a month.
JadoJodo
*You can teach ~someone~ a very technical user how to …
I get the non-techie blindspot that all of us have in some form or another. With that in mind: it took three days to give my brother a crash course in Linux + Docker for his own home server (and even then he only knew the very basics). He’s fairly proficient in tech: builds his own desktops, knows the basics of code, doesn’t shy away from digging into the why, etc.
It would be unrealistic (and frankly irresponsible) to expect someone to setup _and understand_ a Docker server setup from a 10-minute video.
koakuma-chan
It's actually pretty hard to install Docker... Add Docker official GPG key... Install a bunch of crap...
swyx
yes but also once you let that happen there will be thousands of discord servers holding tokens, with no security updates...
macspoofing
Oh come on. I'm sure they care about the users, and they were also hoping to build a business. Why the hostility? You don't have to kick them when they are down.
apt-apt-apt-apt
This same story plays out with every monopoly platform e.g. Apple.
Basically, you are likely in competition with something they are making, or are otherwise bad for business. The specific policy violation they choose doesn't matter– you are getting dicked down because they want it to be so.
meepmorp
> every monopoly platform
discord ain't a monopoly in any relevant sense of the word
Banditoz
Playing devil's advocate a bit, if this service hosts a Discord bot you create for you, that means it uses the bot token, right? The service has to store and secure hundreds of thousands of tokens, if all of those get breached/leaked, an attacker can do a lot to a lot of Discord servers assuming it has the requisite permissions.
However, they do claim that Mee6 (the biggest Discord bot by # of servers, iirc) offers a similar feature but Discord is letting them slide?
paxys
Discord holds user session tokens right? If those tokens are leaked then attackers will have access to Discord user data. Seems like Discord should be shut down.
Banditoz
Hmm, good point, but Discord can't control the security of a third party platform like this.
Not saying it's the right thing to do, but it seems to be their reasoning.
sneak
Discord has the plaintext of every single message ever sent via Discord, including all DMs.
Can you imagine the value to LLM companies?
It’s probably the single largest collection of sexting content outside of WeChat (and Apple’s archive of iCloud Backups that contain all of the iMessages).
merb
The biggest problem is that discord has no way to authorize these platforms without the user giving them credentials. It’s really stupid because it would be so easy to fix.
everforward
I think that's because Discord doesn't want them to do it this way. I suspect Discord wants BotGhost to operate their own bot with their own credentials, and have users invite the bot to their servers (similar to how many existing bots work). BotGhost could tell which no-code workflows apply based on server and/or channel ID.
I think Discord has a fair argument that if BotGhost "writes the code" (read: translates workflows to actual execution), and BotGhost operates the bot, then really it's BotGhost's bot and they should own the bot and have it be visible to users as their bot.
koakuma-chan
Sorry for your loss. I too virtually stopped using Discord in favor of, mostly, Reddit (lesser of two evils).
zapzupnz
I'm not sure how the two are remotely comparable. I don't go to Reddit for live discussion, voice and video chat, etc.
koakuma-chan
I used to go to Discord for help, and now I go to Reddit for help.
immibis
Reddit is more evil than Discord IMO - they did this years ago, tried to shut down all bots and unofficial apps, and they heavily manipulate consensus opinion, which Discord doesn't as far as I know.
anonym29
The lesser of two evils is still evil. Make Forums Great Again!
gagik_co
Agree! I finally set up my own NodeBB forum for my app support and I'm very excited to move in this direction. It was a nicer experience than expected.
add-sub-mul-div
I can't think of any way to look at this where Reddit is the lesser evil. I respect the position but I don't understand it. Reddit and Twitter reached the floor of enshittification with their respective 2023 actions. Discord and others may follow the precedent and get there, but my usage hasn't been affected yet. The Discord official client, unlike Reddit/Twitter, is still ad-free except for the occasional icon highlighting their "Shop" tab.
koakuma-chan
> is still ad-free
I use an adblock, so I don't see any ads on Reddit.
> I can't think of any way to look at this where Reddit is the lesser evil.
Reddit is the lesser evil for my personal use case because more and more Discord servers require a verified phone number to send messages. I can't get help if I can't send a message.
immibis
General PSA: in most situations these things like "terms of service" and "breach notice" have no legal effect. (I am not a lawyer and this is not legal advice)
What they do is the same as a "cease and desist": they warn you that Discord might consider suing you or might try to ban you by technical means.
It's all about business, not what the terms say. If Discord thinks BotGhost is good for Discord's bottom line, they'll let it exist. If they think it's bad, they'll stop letting it exist. I haven't the slightest clue why Discord now thinks BotGhost is bad for Discord's bottom line, but it's probably got something to do with legibility (in the Seeing Like A State sense) to investors for their IPO. Or they're working on a competitor internally.
pnw
It feels to me like Discord is speed-running the developer relations playbook that we've seen happen over a longer timeframe with large platforms like Apple and Google. This is the second high profile incident like this in recent weeks IIRC.
What's even stranger to me is that Discord was putting on a full-court press to get developers onto their platform over the last twelve months. This kind of response is certainly not going to help make devs feel all warm and fuzzy about continuing to build on Discord.
altairprime
Discord has a monopoly on access to its users, and so does not need to concern themselves with making it attractive to build there: the users are the draw, not the developer-friendliness of the platform. BotGhost should seek anti-monopoly enforcement; having EU users file the appropriate EU claims to appeal for Discord to be subjected to the DMA would be far more a threat to Discord’s monopoly than user support tickets are likely to persuade them.
brookst
Wait, doesn't every company have a monopoly on access to its users? Are we all monopolies?
PokemonNoGo
Has there ever been anything warm and fuzzy about discord?
linotype
Kind of lame to put competitors on blast.
> A recent security breach on our platform brought BotGhost to Discord’s attention.
The breach in question is documented here: https://youtube.com/watch?v=lUiLBBab1RY
I don’t think there’s a text write-up, but tl;dw a combination of missing input sanitization and no-code UI trickery made it possible to leak other users’ bot tokens, and despite patching the exploit pretty quickly on exposure, BotGhost’s developer tried to cover it up and refused to reset potentially affected tokens.