Discord.io, a third-party site that allows users to create custom server invites for the instant messaging and voice app Discord Inc., has been taken offline after a data breach led to the exposure of the information of more than 760,000 users.

The breach took place Monday night and Discord.io was taken offline shortly thereafter. For the sake of clarity, Discord.io is not affiliated with Discord, but acts as a third-party marketplace where users can create and list custom invites to their Discord channels for discovery. On the service, users can provide attributes and information about their communities so that people can more easily find and join them.

“On the night of the 14th of August, Discord.io suffered a major data breach, resulting in content from our database being leaked to unknown actors,” Discord.io staff wrote on the website. “We were made aware of the breach later on in the day, and after confirming the content of the breach, we decided to shut down all services and operations.”

According to a report from BleepingComputer, a person known as “Akhirah” began offering the stolen Discord.io database for sale on the Breached hacking forums with proof in the form of four hacked user records.

Amid the records leaked in the breach, Discord.io warned users that their site username, Discord ID, email address, billing address and salted/hashed password were part of the information stolen. The staff stressed that Discord.io does not retain any payment information because all payments are processed through Stripe and PayPal.

Users were warned that if they had signed up for the site before 2018, their passwords could be at risk. Although they would be encrypted, this was a time before the website began using Discord’s own login system to allow users to connect to the website. Users should think about updating setting up two-factor authentication elsewhere and checking their passwords, especially if they used the same password across different websites.

Less sensitive data in the breach included internal user IDs, avatar details, user status, coin balances and registration dates. The application programming keys for accessing Discord channels was also leaked, but those keys have been revoked by Discord, the official application, so although those were exposed, they are now useless.

Akhirah appears to be offering the database for sale on the Breached website, but when they were contacted by BleepingComputer, they said that the intent was not entirely about money. According to the hacker, Discord.io does not moderate its invite marketplace and allegedly links to illegal and harmful content.

“It’s not just about money, some of the servers they overlook I talking about pedophilia and similar things, they should blacklist them and not allow them,” Akhirah told BleepingComputer.

According to the hacker, many of the people interested in the database didn’t want it just to get at people for their passwords in order to hack them, but to expose them for “doxing,” which means to leak their documents to the internet. Akhirah said that they’d prefer to wait for Discord.io to get back about removing the offending content from their website in exchange for not selling or releasing the stolen data.

In response to the breach, Discord.io said it’s investigating the probable cause and it appears to be a vulnerability in the website code. In the meantime, the staff has taken the service offline and canceled all active subscriptions. A refund will be offered to anyone who purchased a membership in the past 30 days.

“We will continue to investigate the possible causes of the breach, and we will take steps to ensure that this does not happen again,” the Discord.io staff wrote. “This will include a complete rewrite of our website’s code, as well as a complete overhaul of our security practices.”

Image: Pixabay