Idea for @discord to fix this account hijacking spam: If you're notifying more than 10 people (with @.everyone, group tag, etc) or you try to DM more than 10 people per 5min, require a 2FA prompt if the user has 2FA active. Doesn't fix the theft, but limits the blast radius.
Once the session is "trusted" it never has to be prompted again, but these are BRAND NEW SESSIONS, usually created by QR-code-hijack, which are being allowed to flood discord with notifications (with sketchy looking URLs I might add)
devtrackers.gg