Discord.io, a third-party site that allows users to create custom server invites for the instant messaging and voice app Discord, has been taken offline after a data breach led to the exposure of 760,000 users.
The breach took place on Aug 14, 2023, and Discord.io was taken offline shortly thereafter. Discord.io is not affiliated with Discord but acts as a third-party marketplace where users can create and list custom invites to their Discord channels for discovery.
According to a report, a person known as “Akhirah” began offering the stolen Discord.io database for sale on the breached hacking forums with proof in the form of four hacked user records.
Discord.io warned users that their site username, Discord ID, email address, billing address, and salted/hashed password were part of the information stolen. The staff stressed that Discord.io does not retain any payment information because all payments are processed through Stripe and PayPal.
Users were warned that if they had signed up for the site before 2018, their passwords could be at risk. Although they would be encrypted, this was a time before the website began using Discord’s own login system to allow users to connect to the website. Users should think about updating setting up two-factor authentication elsewhere and checking their passwords, especially if they used the same password across different websites.
Less sensitive data in the breach included internal user IDs, avatar details, user status, coin balances, and registration dates. The API keys for accessing Discord channels were also leaked, but those keys have been revoked by Discord, the official application, so although those were exposed, they are now useless.
According to the hacker, Discord.io does not moderate its invite marketplace and allegedly links to illegal and harmful content.
According to the hacker, many of the people interested in the database didn’t want it just to get at people for their passwords in order to hack them, but to expose them for “doxing,” which means to leak their documents to the internet. Akhirah said that they’d prefer to wait for Discord.io to get back about removing the offending content from their website in exchange for not selling or releasing the stolen data.
Discord.io said it’s investigating the probable cause, and it appears to be a vulnerability in the website code. In the meantime, the staff has taken the service offline and canceled all active subscriptions. A refund will be offered to anyone who purchased a membership in the past 30 days.