Discord.io breached, 760,000 users' data for sale
User IDs, passwords and payment dates are all in the stolen database
Discord.io - a third-party service that helps users find and create custom channels and severs on the Discord messaging app - has been breached, and the attacker has taken to hacking forums to sell the data trove.
At the time of writing, Discord.io has paused operations, shutting down all its services.
The site explains that it suffered "a major data breach" on the night of 14th August, leaking content to "unknown actors."
Discord.io was alerted to the breach later the same day, and immediately hit the pause button while it decided what to do.
What was taken?
A whole host of information was included in the breach, which Discord.io divides into two camps.
Non-sensitive information
- Internal user ID
- Information about avatars
- Status (moderator/admin/has ads/banned/public/etc)
- Coin balance, and current streak in Discord.io's free minigame.
- API key (this does not give access to your account, and was only available to less than a dozen users).
- Registration date.
- Last payment date, and the expiration date of premium memberships
Sensitive information
Comments from Discord.io are included next to each item.
- Your username - Either the one you provided at signup, or, for most of you, your current Discord username
- Your Discord ID - This information is not private and can be obtained by anyone sharing a server with you. Its inclusion in the breach does, however, mean that other people might be able to link your Discord account to a given email address.
- Your email address - Either the one you provided at signup, or, for most of you, your current Discord e-mail address.
- Your billing address - This should only concern a small number of people and corresponds to the billing address you gave us in order to make a purchase on our site before we began using Stripe.
- Your salted and hashed password - This should only concern a small number of people from before we exclusively offered Discord as a login option (starting in 2018). While your password was encrypted to industry standards, if it was not unique, we urge you to update it on any other site where it might be similar.
The website says it doesn't hold payment information, so that wasn't leaked; however, billing addresses, email addresses and Discord IDs - no matter how much the website is trying to downplay their importance - are concerning.
Discord.io says it has stopped operations "for the foreseeable future," with no indication for when it will be back.
Who is responsible?
While the service blames an unknown actor, a user going by "Akhirah" has claimed responsibility on Breached Forums - a successor to hacking site BreachForum, which the FBI took down this year.
Akhirah is offering the database for sale and posted samples to prove legitimacy. However, they say their motives go beyond the financial.
BleepingComputer, which claims to have spoken to Akhirah, says the hacker alleges that Discord.io links to illegal and harmful content. Their actions are supposedly to pressure the service into removing that content."
"It's not just about money, some of the servers they overlook I talking about pedophilia [sic] and similar things, they should blacklist them and not allow them," Akhirah told BleepingComputer.
So far Akhirah has apparently not sold the database. Nevertheless, all Discord.io users should be aware that their data, including email addresses, may have been compromised. Be more vigilant on the lookout for phishing and spam emails, and watch Discord.io for updates.