Discord.io Temporarily Shuts Down After Hack, Promises Security Overhaul

/in


A third-party service that let thousands of users create custom invites for Discord is temporarily shutting down following a hack.

Discord.io on Tuesday confirmed it suffered a “major data breach,” which resulted in a hacker downloading its entire database. “We were made aware of the breach later on in the day, and after confirming the content of the breach, we decided to shut down all services and operations,” Discord.io said in an announcement. 

The hacker, who goes by the name “Akhirah,” claims to have stolen data on 760,000 Discord.io users. Akhirah says the hack was motivated in part by the fact that Discord.io allegedly links to child sexual abuse material. The hacker tells Bleeping Computer they would be open to keeping the stolen information private if Discord.io deletes those links, but the stolen data is also currently available for sale on a hacking forum.

Discord.io says it’s “still investigating the breach, but we believe that the breach was caused by a vulnerability in our website’s code, which allowed an attacker to gain access to our database.”

The good news is that affected users don’t need to change their passwords on Discord itself because Discord.io was only storing Discord user IDs, not any Discord authentication tokens. 

Still, the hacker stole email addresses associated with Discord.io users, along with the billing addresses of those who made purchases on the service before it started using the Stripe and PayPal payments platform. 

In addition, a small number of users who signed up with Discord.io prior to 2018 had their password information stolen. However, the stolen password data was salted and hashed. “While your password was encrypted to industry standards, if it was not unique, we urge you to update any other site that might have used this password,” Discord.io adds.  

Although Discord.io has temporarily shut down, the service plans on returning with stronger security in place. “This will include a complete rewrite of our website’s code, as well as a complete overhaul of our security practices,” it says. 

Source…