It's hard to know whether this is something harmless or a sign of a serious design flaw in Discord without more information.
If this company is just assuming that Dumbledore32168 is the same user on server A and server B, then either:
- users chose to use the same name on every server with the expectation that people from other servers would recognize them, in which case there's really no problem at all, or
- some servers don't allow you to set your username, in which case that's a real problem, and a good reason to use something other than Discord,
and I have no idea which of these is the case.
If, however, they are doing something more clever and matching people even when they have different usernames, then this suggests a *major* design flaw.
It should not be possible for anyone other than the actual owner of the server to obtain any identifier for a user that is shared across multiple servers. Other people should be able to see your local (per-server) username, period. There are reasons for a signed-in user to pass uniquely identifying values *to* the server, and there are legitimate reasons for the server to store that mapping, but there are no reasons for there to be any web-facing API for converting from a username back to that identifier, period, under any circumstances. Even things like private messaging should be sending the local username or a local user identifier, not any sort of global identifier.
And even during the sign-in/sign-up process, the identifier sent from the authentication server to the content server need not be shared across servers. There's nothing inherently preventing discord from providing a different per-user unique identifier to each server, and if privacy were a serious consideration in the design, they would be doing this. So again, if they are successfully tracking users across servers when usernames don't match, then Discord's entire security architecture needs a major overhaul, because that would mean that Discord as a platform is severely flawed architecturally, and that privacy was not a serious consideration in its design.
So could someone from Discord please clarify what is happening here?