A popular third-party Discord service has closed “for the foreseeable future” after being targeted by a hacker offering data on its 760,000 members for sale.
Despite this, the hacker later claimed that the data sale isn’t “just about money”, alleging that the service links to illegal and harmful content including “paedophilia and similar things”.
Discord.io — a directory where users can search for Discord servers matching their interests — first became aware of the data breach when a user named Akirah appeared on the Breached hacking forum offering its data for sale.
With a few examples to prove the attack’s legitimacy, Akirah promised further credentials of 760,000 users up for grabs. Data is said to include usernames, email addresses, salted and hashed passwords, and billing addresses.
After confirming the legitimacy of the attack, Discord.io announced it would be “stopping all operations for the foreseeable future”, though it claims the most damaging data — the passwords and billing addresses — only impacts “a small number of users.”
In the case of the billing addresses, that’s because only those who purchased before the service adopted Stripe are affected. As for passwords, the service has been exclusively offering Discord as a login option since 2018 and it claims only those who used a separate login before then need worry.
“While your password was encrypted to industry standards, if it was not unique, we urge you to update it on any other site where it might be similar,” Discord.io says.
The inclusion of Discord IDs in the breach does “mean that other people might be able to link your Discord account to a given email address,” it conceded.
Despite listing the data for sale on a forum known for hacking and data leaks, Akirah told Bleeping Computer that his or her motivations aren’t purely monetary.
“It’s not just about money, some of the servers they overlook I [sic] talking about paedophilia and similar things, they should blacklist them and not allow them,” the hacker told the site.
Despite receiving plenty of interest from those who want to use the data dump for “doxing other people they have problems with”, Akhirah told the site that their preference was to wait for Discord.io operators to promise a clampdown on this alleged illegal activity in return for the database not being sold.
This is, of course, just one person’s account, and even if it is accurate, the data is already out of the service’s hands, so it doesn’t hurt to be cautious.
If you used Discord.io and shared a password with other sites, change them immediately, and be wary of targeted phishing attempts citing your Discord membership.