Discord.io has suffered a data breach


On the night of the 14th of August, Discord.io suffered a major databreach, resulting in content from our database being leaked to unknown actors.
We were made aware of the breach later on in the day, and after confirming the content of the breach, we decided to shut down all services and operations.

What happened?​

We are still investigating the breach, but we believe that the breach was caused by a vulnerability in our website's code, which allowed an attacker to gain access to our database. The attacker then proceeded to download the entire database, and put it up for sale on a 3rd party site.

What data was leaked?​

Non-sensitive information about your account:​

  • Your internal user ID
  • Information about your avatar
  • Your status (moderator/admin/has ads/banned/public/etc)
  • Your coin balance, and current streak in our free minigame.
  • Your API key (this does not give access to your account, and was only available to less than a dozen users).
  • Your registration date.
  • Your last payment date and the expiration date of your premium membership.

Potentially sensitive information about your account:​

  • Your username
    • Either the one you provided at signup, or, for most of you, your current Discord username.
  • Your Discord ID
    • This information is not private and can be obtained by anyone sharing a server with you. Its inclusion in the breach does, however, mean that other people might be able to link your Discord account to a given email address.
  • Your email address
    • Either the one you provided at signup, or, for most of you, your current Discord e-mail address.
  • Your billing address
    • This should only concern a small number of people and corresponds to the billing address you gave us in order to make a purchase on our site before we began using Stripe.
  • Your salted and hashed password
    • This should only concern a small number of people from before we exclusively offered Discord as a login option (starting in 2018). While your password was encrypted to industry standards, if it was not unique, we urge you to update it on any other site where it might be similar.
Discord.io does not store any payment information, and all payments are processed through PayPal and Stripe. We do not store any payment information on our servers, and this information was not leaked.

Zusammengefasst heißt das wohl sicherheitshalber in den nächsten Tagen und Wochen vermehrt aufpassen - ggf kommen nun komische emails, falls man sein pwq mehrmals genutzt hat bitte auch das pw wechseln.
Da geht es doch nur um einen Dritt-Hersteller, nicht um Discord selbst.

Ich denke, das wird die wenigsten hier betreffen. Dennoch immer gut, solche News zu teilen.

Wer bei diesen ganzen Diensten mit der echten Emailadresse unterwegs ist, hat eh die Kontrolle über sein Leben verloren. Man sollte zumindest Aliase nutzen und die bei Bedarf ändern, wenn es schon unbedingt alles über das primäre Postfach laufen soll.