Discord.io has shut down “for the foreseeable future,” after crooks stole, and then put up for sale, data belonging to all 760,000 of the service’s users.
The attack happened on Monday night”resulting in content from our database being leaked to unknown actors,” according to a notice on the Discord.io website.
After swiping all of the data, including both “non-sensitive” and “potentially-sensitive” account details, a miscreant who goes by the handle Akhirah dumped the info on a cybercrime forum.
“We will continue to investigate the possible causes of the breach, and we will take steps to ensure that this does not happen again,” the Discord.io notice said. “This will include a complete rewrite of our website’s code, as well as a complete overhaul of our security practices.”
To be clear: the intrusion happened to Discord.io, a third-party service for creating custom invites for individual Discord servers. It’s separate from Discord, the IRC-on-steroids instant-chat empire that remains secure.
Discord.io said it confirmed the dumped data was taken from its systems, and because of this “decided to take down our site until further notice.” While an investigation is still ongoing, the site administrators say they believe the intruders gained access to the website via buggy code, which allowed them to break into the database.
Stolen data includes users’ names (usually your current Discord username), email addresses, Discord IDs, and billing addresses of anyone who made a purchase on the site before Discord.io began using Stripe.
Miscreants also leaked users’ salted and hashed passwords, which the service says only affects “a small number of people from before we exclusively offered Discord as a login option.” That began in 2018.
“While your password was encrypted to industry standards, if it was not unique, we urge you to update it on any other site where it might be similar,” the site admins cautioned.
The crooks did not access payment information, which Discord.io says it does not store on its servers any more since moving to Stripe and PayPal.
And in addition to the above mentioned user info, the criminals leaked some additional “non-sensitive” account details including: internal user ID, avatar info, status (ie, moderator, admin, banned, public, etc), coin balance, API key, registration date, last payment date and the expiration date for users’ premium membership.
As well as shutting down the site, Discord.io has also cancelled all active subscriptions, and promised to refund all premium memberships purchased in the last 30 days. ®