Discord.io, a custom invite service for the instant messaging service Discord, has suffered a data breach that exposed the personal data of more that 760,000 users.
Discord.io is a third-party service which allows Discord users to create customized invitations to their channels on Discord itself.
The breach was discovered on August 14, after a database containing the personal information of Discord.io users was put up for sale on the dark web.
The hacker, who uses the alias ‘Akhirah’, shared four user records from the database as proof of the data’s authenticity. Discord.io also confirmed that the data was legitimate.
In response to the breach, Discord.io shut down all operations and services and launched an investigation into the breach. So far, the investigation has revealed that the hacker gained access to Discord.io’s database via a vulnerability in the website’s code. This allowed Akhirah to download Discord.io’s entire database and put it up for sale on the new version of infamous hacking site, Breached Forums.
The data leaked was extensive and included both non-sensitive and sensitive account information.
Non-sensitive account information:
- Internal user ID.
- Information about user avatar.
- User status, e.g. moderator/admin/has ads/banned/public/etc.
- User coin balance, and their current streak in Discord.io’s free minigame.
- User API key, however this will not give access to user accounts, and was only available to less than a dozen users.
- User registration date.
- The last payment date and expiration date of users with premium memberships.
Potentially sensitive account information:
- Discord ID, although this information is not private and can be obtained by anyone sharing a server with said user. It could, however, mean that other people may be able to link specific Discord accounts with a given email address.
- Email address.
- The billing address of users who provided this data to Discord.io before the site started using secure payment service Stripe.
- The salted and hashed passwords of people who signed up for Discord.io before it exclusively offered Discord as a login option, which started in 2018.
In total, it is estimated that the data breach affected more than 760,000 individuals.
Discord.io made the decision to take down the site “until further notice” while it continues to investigate possible causes of the breach. The site said it will “take steps to ensure this does not happen again”, including a complete rewrite of the website’s code and an overhaul of its security practices.
The site noted that there is “no need to change your password or take any action on Discord itself”, however urged users to change their passwords on any sites they may have used the same password as their Discord on if they signed up to the site before 2018.
A Discord spokesperson said of the breach: “Discord is not affiliated with Discord.io. We do not share any user information with Discord.io directly and we do not have access to or control of information in Discord.io’s custody.
“We have revoked the OAuth tokens for any Discord user that has used Discord.io, so that app can no longer perform actions on behalf of those users until they re-authenticate”.
Discord also recommended that users enabled two-factor authentication (2FA) to protect their accounts, and suggested they consider setting up SMS authentication.