Discord.io suffers massive data breach, announces closure

The Discord logo is visible on a laptop screen.

Discord.io, a service that allowed users to create custom links for their Discord channels, is closing down following a large data breach.

A hacker stole the data of 760,000 users, per TechRadar, and has posted a sample on Breached Forums in order to potentially sell it. The discord.io site now displays a message saying "we are stopping all operations for the foreseeable future".

The third-party service has broken down exactly what is and isn't contained in the stolen data in a list.

What is contained in the breach:

  • Non-sensitive information about your account:

    • Your internal user ID.

    • Information about your avatar.

    • Your status (moderator/admin/has ads/banned/public/etc).

    • Your coin balance, and current streak in our free minigame.

    • Your API key (this does not give access to your account, and was only available to less than a dozen users).

    • Your registration date.

    • Your last payment date and the expiration date of your premium membership.

  • Potentially sensitive information about your account:

    • Your username.

      • Either the one you provided at signup, or, for most of you, your current Discord username.

    • Your Discord ID.

      • This information is not private and can be obtained by anyone sharing a server with you. Its inclusion in the breach does, however, mean that other people might be able to link your Discord account to a given email address.

    • Your email address.

      • Either the one you provided at signup, or, for most of you, your current Discord e-mail address.

    • Your billing address.

      • This should only concern a small number of people and corresponds to the billing address you gave us in order to make a purchase on our site before we began using Stripe.

    • Your salted and hashed password.

      • This should only concern a small number of people from before we exclusively offered Discord as a login option (starting in 2018). While your password was encrypted to industry standards, if it was not unique, we urge you to update any other site that might have used this password.

What is not contained in the breach:

  • Anything not explicitly listed above.

  • Your payment details (those are stored safely by our partners Stripe and PayPal).

The service says it has cancelled existing premium subscriptions. They add that they've yet to be contacted by the hacker, and as far as they know "the database itself has no yet been shared publicly".




via Zero Tech Blog