Discord.io suffers data breach, goes offline

Discord.io is stopping all operations for the foreseeable future following a massive data breach. The resulting leak affected over 760,000 users.

On August 14th, the popular Telegram channel Information Leaks brought attention to an ad on the dark web where a threat actor claimed to have a database of 760,000 Discord.io users for sale. The data included email addresses and hashed passwords.

Discord.io is a third-party interface, allowing users to create custom links for their Discord channels.

On August 15th, the platform confirmed the data breach saying it was massive, and said it was “stopping all operations for the foreseeable future,” shutting down all services and operations.

“We are still investigating the breach, but we believe that it was caused by a vulnerability in our website's code, which allowed an attacker to gain access to our database. The attacker then proceeded to download the entire database, and put it up for sale on a 3rd party site,” Discord.io said.

Here’s what was leaked:

  • Usernames
  • Discord IDs
  • Email addresses
  • Billing addresses
  • Salted and hashed passwords

Leaked passwords “should only concern a small number of people from before we exclusively offered Discord as a login option (starting in 2018).” Even though the passwords were protected, Discord.io urged users to update them immediately, especially in cases where they were not unique.

It confirmed that it didn’t store any payment information.

“We will continue to investigate the possible causes of the breach, and we will take steps to ensure that this does not happen again. This will include a complete rewrite of our website's code, as well as a complete overhaul of our security practices,” it noted.

Discord.io cancelled all active subscriptions and will fully refund users who had recently purchased premium membership.