Imagge: ilgmyzin (unsplash)
Discord.io has paused its activities following a significant data compromise, revealing the personal information of approximately 760,000 members.
The official communication on the Discord.io platform disclosed that a segment of the platform’s user database appeared on the online marketplace, BreachForums, around 12.51am CET on Monday, August 14. Subsequently, the entire database was listed for purchase.
Subsequent to the breach, a notification on the platform communicated their decision to suspend all operations for an undetermined period.
Though not officially affiliated with Discord, this third-party platform facilitates server owners in crafting unique invitations to their Discord channels.
Discord.io also mentioned the termination of all ongoing subscriptions, committing to reach out to its members in due course.
On August 15, the platform updated its community, suspecting that the breach might have resulted from a flaw in its platform’s code. This allowed the intruder to access the user database.
Upon obtaining access, the intruder downloaded the entire database, later listing it on a third-party marketplace, identified as BreachedForums. This marketplace is known for its data leak and sale operations and is a reincarnation of another infamous digital marketplace. Its prior version was decommissioned in June 2023 when the US authorities seized its primary web domains.
In response, Discord.io has dedicated resources to uncover the root cause of this breach. The company intends to implement measures to prevent similar incidents. This includes revising the entire codebase of the platform.
Discord.io apprised its members about the extent of the compromised data. Exposed details encompass crucial information like users’ usernames, DiscordIDs, and email accounts. Furthermore, select members had their billing addresses and encrypted passwords revealed.
Yet, any financial data remained secure since Discord.io processes its transactions exclusively through intermediaries like PayPal and Stripe. Some non-critical data was also compromised, such as user IDs, in-app coin balances, API keys, and sign-up dates.
Erfan Shadabi, a digital security specialist at comforte AG, commented on the breach’s potential implications on user data privacy and protection. He highlighted the increased risk of identity theft, phishing strategies, and other hostile endeavors due to the breach.
Jamie Moles, the Senior Technical Manager at ExtraHop, pointed out the private nature of the Discord community. The potential of malicious entities accessing both personal details and messages of such a vast number of users is particularly unsettling. Drawing parallels to a recent incident involving a prominent UK institution, Moles expressed concern over the compromised names and addresses. He illustrated a scenario where disagreements between users could escalate due to the potential of personal identification.
In a separate incident from May 2023, the main Discord platform informed its users about a data compromise stemming from unauthorized access to a third-party customer support agent’s ticket system.