Here we go again. Discord, the San Francisco-based unicorn company boasting a $15 billion valuation and 150 million monthly active users, is making headlines for another data security breach. But it’s not what you think. This time, it’s discord.io, a third-party service that does not operate under the governance of the social messaging platform discord.com. Confused? We thought you might be. Read on to see if your information was compromised.
Discord.com Data Breach – March 2023
The first breach occurred in March 2023, when a user gained unauthorized access to Discord users’ data via a third-party service provider. The hacker stole data on service tickets, which included personal information like driver’s license numbers, for 180 users. According to BleepingComputer, the ticket queue of a third-party customer support agent was exposed. The queue contained user email addresses, Discord support messages, and attachments on the tickets.
Discord sent emails to affected users explaining that the compromised account had been deactivated and the user’s machine underwent malware checks. In addition, they claim to have worked with the customer service partner to improve their practices and prevent these incidents from happening in the foreseeable future.
In a follow-up beginning August 21, 2023, Discord began reaching out to users affected by this breach with additional information disclosing what Personal Identifying Information (PII) was exposed.
Discord.io Data Breach – August 2023
Here’s where it gets confusing. Last week, on August 14, 2023, a Discord.io database containing the stolen information of users was put up for sale on the dark web by a hacker under the alias of ‘Akhirah.’ The threat actor boasts that the database contains the personal information of 760K Discord.io users. Discord.io is yet another third-party service that offers custom invite URLs for Discord channels. Youtuber NTTS does a great job of sorting out all the confusion in this recent video:
At the time of this post, Discord.io has been brought to a screeching halt, and its servers have been shut down. Their homepage has been replaced by a post detailing the incident and steps they are taking to remedy the hack and protect user data. According to the discord.io website:
|What are we doing about this?
We have decided to take down our site until further notice.
We will continue to investigate the possible causes of the breach, and we will take steps to ensure that this does not happen again.
What should you do?
As we only stored your Discord user-id and not your Discord authentication token, there is no need to change your password or take any other action on Discord itself.
However, if you signed up on our site from before 2018 using our previous username/password registration, we urge you to change your password on any other site that might have used the same password.
Sensitive compromised user information in the breach includes Discord.io members’ usernames, email addresses, and billing addresses (limited numbers), salted & hashed passwords (limited numbers), and user Discord IDs.
What do you need to do?
This isn’t the first major data breach, and it certainly won’t be the last. Some of the biggest data breaches in US History prove that any company can be at risk.
Although these data breaches occurred on different servers, and through different services entirely, it’s always a good idea to choose a strong password and update your passwords regularly. Discord.com also offers two-factor authentication (2FA), which adds an extra layer of security to your Discord account to make sure only you can access it.
We hope you found this article useful, and that your sensitive data remains secure. In the meantime, stay safe out there on the wild wild web!