The data of some 760,000 Discord.io users has been put up for sale on the Dark Web this week, cybersecurity experts warned. Though Discord.io – which has temporarily shut down following the data breach – is not an official Discord site, the third-party service allowed server owners to create custom invites to their channels. Much of the community was also built around its Discord server.
It was on Monday that an individual known as “Akhirah” was first discovered offering the Discord.io database for sale on the new Breached hacking forum, and as proof of the theft the actor shared four user records. According to a report from Bleeping Computer, the Breached forum is a rebirth of a prior Dark Web site that was known for the sale and leaking of data stolen in data breaches.
“On the night of the 14th of August, Discord.io suffered a major data breach, resulting in content from our database being leaked to unknown actors,” a Discord.io admin posted on Tuesday. “We were made aware of the breach later on in the day, and after confirming the content of the breach, we decided to shut down all services and operations.”
Discord.io is still investigating the breach, but it was believed that it was caused by a vulnerability in the website’s code. The service has said that the threat actors gained access to non-sensitive information including internal ID, information about avatar, coin balance and API keys – although the latter does not reportedly provide access to a user’s account. Potentially sensitive information that was breached also included username, Discord ID, email address and billing address to those who made a purchase from the site.
Discord.io Not Discord
Discord, the instant messaging and video-over-IP social platform, was quick to address that it is in not affiliated with Discord.io – and that it does not share any user information directly.
However, Discord still encouraged users to enable two-factor authentication (2FA) to help keep accounts protected, and to consider SMS authentication.
Discord was in the spotlight earlier this year, after 21-year-old Jack Teixeira, a former Massachusetts Air National Guardsman, was arrested for allegedly leaking Pentagon documents via the platform that is largely frequented by video game players.
Tiexeria was only the most recent gamer to leak classified documents. As many as 53 documents – which could shed light on the war in Ukraine and threatened to upend U.S. governments with its allies around the globe – were apparently shared to Discord, a popular service with video gamers. In just the past few years, gamers from around the world have shared classified materials to gaming forums about classified military platforms, including tanks and aircraft, that are still in active service.
What is the Threat?
At this point, it would seem the threat is minimal for most users. As noted, Discord.io is a third-party service, so most Discord users need not worry, but this is an example of how established and even well-protected services can have data compromised via third-parties.
“Unfortunately, even with the somewhat limited information that was exposed, attackers can now craft more personalized spear phishing or other social engineering campaigns against those whose data was lost,” Erich Kron, security awareness advocate at KnowBe4, told ClearanceJobs via an email.
“The fact that the domain name is close to that of the actual Discord service makes it easy for people to mistake it as an official Discord site, and this might have contributed to its success and the number of records it was able to collect,” Kron added.
“This can be a lesson for organizations when it comes to protecting domain names that are similar to their official one,” Kron suggested. “For individuals whose information was leaked through this breach, it’s important that they are aware that this will likely lead to targeted emails or other social engineering attacks.”
Oversharing is Likely the Bigger Discord Problem
Though some Discord.io users may have their sensitive information leaked, it is unlikely that any classified materials will find their way to the Dark Web from this breach. That would have likely been true, even if this had impacted Discord as opposed to just the Discord.io service.
“Other than IDs and passwords you’d typically argue that the discussions on Discord are about gaming and not much risk except we had that U.S. document leak where confidential U.S. documents were put on Discord and, if something happens once, it certainly could happen again,” warned technology industry analyst Rob Enderle of the Enderle Group.
“The risk is there may be stuff on Discord that shouldn’t be on Discord that is sensitive,” Enderle told ClearanceJobs. “That shouldn’t be Discord’s problem, but if the breach results in a government security problem, governments tend to take action against the most visible cause of the issue and Discord is a potentially easy target to hit. Regardless of how the state secrets got there, losing them could be problematic for the company.”
A bigger issue could be that private discussions on such platforms could undoubtedly include discussions that people don’t want to be public. That sort of information could result in problems during a background check
“This is just a reminder to not put anything into any forum that you wouldn’t want your boss, spouse, kids, pastor, friends, competitors, or governments to find out about,” said Enderle.