man showing two thumbs down

Discord.io confirms theft of 760,000 members’ data

Discord.io was/is a third party service that enables owners of Discord servers to create customized, personal Discord invites. After a preview of Discord.io’s users database was posted on BreachForums, the owners have decided to shut down all Discord.io services “for the foreseeable future.” Existing premium subscriptions have been canceled and discord.io promised to reach out as soon as possible on an individual basis.

services are shut down and the site shows information about the breach
The site confirms that there has been a data breach

The stolen information could include your discord.io username and your Discord ID, your email-address, your billing address, and a salted and hashed password if you signed up in 2018 or earlier. (In 2018 discord.io started to exclusively offer Discord as a login option.)

Payment details are said to be safe because those are stored safely by the payment partners, Stripe and PayPal. Discord.io has confirmed the authenticity of the breach, by an entity acting under the name Akhirah.

It is important to know that Discord is not affiliated with discord.io, a spokesperson from Discord told Stackdiary:

“Discord is not affiliated with Discord.io. We do not share any user information with Discord.io directly and we do not have access to or control of information in Discord.io’s custody.”

Discord has revoked the oauth authentication tokens for any Discord user that has used Discord.io, so that app can no longer perform actions on behalf of those users until they re-authenticate. Affected Discord users should change their passwords and enable multi-factor authentication (MFA).

To enable MFA on Discord:

  • Open the Discord desktop app or go to discord.com/login and enter your credentials to log in.
  • Go to the second vertical tab, and then click the gear icon beside the Mute and Deafen options to open user settings.
  • In the My Account tab, scroll down and click Enable Two-Factor Auth.
  • Enter your Discord password and open the authenticator app of your choice on your device.
  • Scan the QR code and enter the six-digit code to enable 2FA. You may want to write down the key and store it in a secure space, in case you should somehow lose access to your account.
  • Click Enable SMS Authentication to enable 2FA on Discord via SMS.

Data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.