Discord.io Suffers Massive Data Breach

Discord.io was/is a third party service that enables owners of Discord servers to create customized, personal Discord invites. As of right now, the service has temporarily shut down for the foreseeable future after suffering a data breach exposing the information of 760,000 members.

Discord.io was made aware of the breach after a person known as 'Akhirah' began offering the Discord.io database for sale on the new Breached hacking forums. As proof of the theft, the threat actor shared four user records from the database.

For those unfamiliar with the new Breached, it is the rebirth of a popular cyber crime forum known for the sale and leaking of data stolen in data breaches.

The stolen information could include your discord.io username and your Discord ID, your email-address, your billing address, and a salted and hashed password if you signed up in 2018 or earlier. (In 2018 discord.io started to exclusively offer Discord as a login option).

Payment details are said to be safe because those are stored safely by the payment partners, Stripe and PayPal.

While Discord.io is still investigating the breach, they believe that it was caused by a vulnerability in their website's code. This allowed an attacker to gain access to their database. The attacker then proceeded to download the entire database, and put it up for sale on a 3rd party site.

Despite listing the data for sale on a forum known for hacking and data leaks, Akirah told Bleeping Computer that his or her motivations aren’t purely monetary.

“It’s not just about money, some of the servers they overlook I [sic] talking about paedophilia and similar things, they should blacklist them and not allow them,” the hacker told the site.

Despite receiving plenty of interest from those who want to use the data dump for “doxing other people they have problems with”, Akhirah told the site that their preference was to wait for Discord.io operators to promise a clampdown on this alleged illegal activity in return for the database not being sold.

Safeguarding Your Account

While the hacker says they have not sold the database, all Discord.io members should treat the situation as if their data will be abused. There are best practices to take if you have been the victim of a data breach. These include:

• Check the vendor's advice: Every breach is different, so check with the vendor to find out what's happened, and follow any specific advice they offer. In this case, victims should check the main website.

• Change your password: Especially if the password has been re-used across different websites. On those other sites, the passwords should be changed as well. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don't use for anything else. Better yet, let a password manager choose one for you.

• Enable two-factor authentication (2FA): Any type of 2FA is better than no 2FA. This further makes account compromises difficult since the malicious actor requires an additional factor of authentication which they do not have.

• Beware of phishing attempts: If you are a member of Discord.io, you should be on the lookout for unusual emails with links to pages asking you to enter your password or other information.

• Use email aliases: Unique email aliases for different online accounts can prevent malicious actors from linking your online accounts to your personal/work email address for privacy purposes.

References

• https://discord.io/

• https://www.bleepingcomputer.com/news/security/discordio-confirms-breach-after-hacker-steals-data-of-760k-users/

• https://www.malwarebytes.com/blog/news/2023/08/discord-io-breach-leaking-information-of-760000-members-confirmed

• https://www.hackread.com/discord-io-data-breach-users-data-sold/

• https://www.standard.co.uk/tech/discord-io-shut-down-data-breach-hacking-b1101000.html