Discord.io Halts All Operations After Massive Data Breach

Written by

Discord.io has shut down operations after suffering a major data breach exposing the personal details of its 760,000 members.

A statement on the Discord.io website confirmed that a preview of the Discord.io's users database was posted on cybercrime marketplace BreachForums at 12.51am CET on Monday, August 14 (18.51 ET Sunday, August 13), with the rest of the database offered for sale.

As a result, a notice on Discord.io reads: “We are stopping all operations for the foreseeable future.”

The third-party service is not an official Discord website, but allows server owners to create custom invites to their Discord channels.

Discord.io added that it has canceled all active subscriptions and will be reaching out to individual members as soon as possible.

Providing an update on August 15, the company revealed it believes the breach was caused by a vulnerability on its website’s code, allowing the attacker to gain access to the member database.

“The attacker then proceeded to download the entire database, and put it up for sale on a third-party site,” read the post.

The third-party site is BreachedForums, which is the rebirth of a notorious cybercrime marketplace used for the sale and leaking of data stolen in data breaches. The previous iteration was taken down in June 2023 after the US government captured its surface web domains.

Discord.io will continue to investigate the possible causes of the breach and plans to take action to try and ensure a similar incident does not occur again before resuming operations. This includes “a complete rewrite of our website’s code.”

Damaging Exposure

Discord.io informed members of the data compromised in the breach, this includes sensitive details such as all users’ usernames, DiscordIDs and email addresses. A “small number” of members’ billing addresses and salted and hashed passwords have also been exposed.

However, no payment details were breached as Discord.io does not store this information, with all transactions processed through PayPal and Stripe.

A range of non-sensitive data was also exposed in the incident, including internal user IDs, coin balances, API keys and registration dates.

Commenting on the incident, Erfan Shadabi, cybersecurity expert at comforte AG, warned of the potentially severe impacts of the breach on user privacy and security.

“With the personal information of hundreds of thousands of individuals compromised, the potential for identity theft, phishing attacks, and other malicious activities is alarming,” he said.

Jamie Moles, Senior Technical Manager at ExtraHop, emphasized that Discord is made up of private communities and is not a public forum – therefore it is especially concerning that malicious actors can potentially access both the personal information and messages of 760,000 users.

“Like the hack on the [UK’s] Electoral Commission just last week, names and addresses appear to have been stolen in this attack – but in addition, discord usernames have also been leaked. Imagine if a user said something another user didn't like – the disgruntled user can potentially identify the other user by name and turn up to their home,” noted Moles.

In May 2023, the Discord social platform notified users of a data breach that occurred when a threat actor gained unauthorized access to the support ticket queue of a third-party customer service agent.

What’s hot on Infosecurity Magazine?