Recently, rumors began circulating about a well-known service – Discord – having suffered a data breach. In this blog, we will dig further into them.
The Rumors Surrounding Discord
A couple of months ago, Reddit’s Discord section was on fire – people were suspecting that Discord might have suffered a data breach. Some people said that they had even seen videos about Discord servers being hijacked and shared their insight into how the hijacking might have occurred, others expressed concern about other kinds of issues, one of them being the following:
- A person who has access to an account could to head over to the billing section.
- In the billing section, everyone could apparently see all of the sensitive data that was previously entered when using the application.
This might not sound like a big deal, but the main reason such behavior of Discord caused a ruckus was that this is very much an outdated practice. Reddit users argued that applications caring about user privacy and security need to either partially censor the details (e.g. only display the last couple of numbers of your credit card), prompt you to re-enter your password before accessing a part of the website dealing with sensitive information, or store all of the details inside of the database, preferably in a hashed format. As a cherry on the cake, Discord also didn’t require email confirmation to reset the password of a user.
Not only that, though – Discord has been criticized for making two-factor authentication practically useless: users could remove their two-factor authentication mechanism by entering their password and they could also reset their time-based one-time-use password backup codes using their password as well.
After Discord has been made aware of the issue, the company rushed to fix it, however, some users also expressed concern around backup codes and their supposedly insecure password changing: Discord initially fixed a part of the issue by requesting email confirmation in order to view TOTP backup codes, but they’ve apparently overlooked the fact that changing a password should also request verification by the user as well.
As for a data breach, the rumors are believed to be unfounded – Discord hasn’t yet confirmed any kind of a data breach or data leak, and there is little user concern of such a thing occurring.
Discord didn’t suffer a data breach – however, it’s very likely that the engineering team behind the infrastructure of Discord has made some sloppy security practices as they’ve built the application, and some of them recently came to light.
The security issues that Discord apparently faced were not a very big deal, though – these kinds of issues can be easily fixed, and they were not exactly critical to the users of the application.
However, the incident once again proved that both developers and the security teams backing an application need to be incredibly vigilant when dealing with user information – one step in the wrong direction, and the security infrastructure backing an application could be cactus. We hope that you’ve found this article interesting and of value, make sure to run a search through the data breach search engine provided by BreachDirectory to ensure that you’re not at risk of identity theft and secure those around you, make use of the capabilities by provided by the BreachDirectory API service, and until next time!