Discord.io said it “shut down all operations” on Aug. 15 after attackers stole the data of around 760,000 users and put it up for sale on the illegal hacking platform Breached Forums.
Discord.io is a third-party service that allows people to generate custom invites for their Discord channels. The website works as a search engine for Discord, helping visitors find servers that match their interests and request an invite to join.
The attack occurred on the evening of August 14, but the Discord.io team only became aware of it several hours later. After “confirming the content of the breach, we decided to shut down all services and operations,” it said.
“We are still investigating the breach, but we believe that the breach was caused by a vulnerability in our website’s code, which allowed an attacker to gain access to our database,” Discord.io wrote on its website.
“The attacker then proceeded to download the entire database, and put it up for sale on a third party site. We have decided to take down our site until further notice,” it added.
Discord.io also cancelled all active premium subscriptions on the site and promised to refund affected users. Sensitive data including Discord IDs, email addresses, salted and hashed passwords, and payment details were stolen.
As BleepingComputer reports, the hacker, who goes by the name ‘Akhirah’, posted a sample of the stolen information on Breached Forums not only for sale – but also to make a point.
“It’s not just about money, some of the servers they [Discord.io] overlook are talking about pedophilia and similar things, they should blacklist them and not allow them,” Akhirah said.
The hacker said the database has been of interest to many people, but mostly to those who want to use it for “doxing other people they have problems with (sic).” Akhirah is reportedly waiting for a deal from Discord.io operators to remove the alleged offensive material from the site in exchange for not selling the stolen data.
A review of the archived pages of the Discord.io site shows Discord servers in the directory for a range of interests, including anime, gaming, so-called adult content, and more, per the BleepingComputer report.
Discord.io plays down attack
Commenting on the breach, Discord.io appeared to play down the importance of Discord IDs being stolen.
“This information is not private and can be obtained by anyone sharing a server with you. Its inclusion in the breach does, however, mean that other people might be able to link your Discord account to a given email address,” said the team about Discord IDs.
It also claimed that the site “does not store any payment information, and all payments are processed through PayPal and Stripe. We do not store any payment information on our servers, and this information was not leaked.”
Discord.io said it is planning “a complete rewrite of our website’s code, as well as a complete overhaul of our security practices” in order to prevent such attacks from happening again in the future.
The team urged people who signed up on Discord.io before 2018 “using our previous username/password registration, to change your password on any other site that might have used the same password.”