Discord.io has been hacked

Hello everyone it’s Dustin. Happy exploit-of-the-day from Discord.io!

After resetting my modem, Discord’s web browser interface would not resolve a CAPTCHA and let me sign in. If I turned off Privacy Badger | Electronic Frontier Foundation it would at least show the CAPTCHA, but with it turned on, CAPTCHA did not work at all.

Turning off DuckDuckGo privacy extension didn’t make a difference.

OK, bad day at Discord and they’ll get it fixed I suppose.

Then I saw this and perhaps it is related:

So given my previous and elsewhere expressed dislike of Discord the stand-alone app for privacy reasons (Is Beamdog still active? - #19 by Dustin_Offal) this brings to a conclusion my use of Discord.


That data breach was a 3rd party site, NOT Discord itself - read DISCORD.IO | Details about continued operations under the header “What Should I Do?”

If you ever signed up for Discord.IO, your data was compromised. If you just used Discord, it was not.

As for the non-working Captcha, in my experience, those things glitch out all the time. Either they just continually reset the image (or whatever) they’re using, the checkbox fails to register it was checked, or the site fails to load (resulting in a timeout that sometimes shows a site error page), or the site eventually loads as if the captcha was validated. Thus, captcha is a shitty way to secure a site but it’s better than nothing.

Hi @Pstemarie ,

Yes, I understood and realized that. Regardless, even if Discord.io does not have API access to Discord, my years doing IT security stuff tends to make me professionally paranoid and I am quick to discard something that doesn’t meet my admittedly quite demanding standards.

FWIW, I am NOT advocating that everyone should leave Discord. However, I do not myself use Discord enough to merit the effort I feel is warranted to keep an eye on them.

I agree that CAPTCHA as a security measure is weak and that it is better than nothing. If privacy and security is a concern for a given user, using 2FA (two-factor authentication) which Discord does provide.

More generally, there are plenty of choices of online chat services out there or you can run your own if you want to put out the effort.

It’s pretty OK for me not to like this one. I have not used it for anything other than chat.

I will, however, stop proselytizing on the topic! :wink:

1 Like

Brief addendum.

I resolved my paranoia by creating yet another pseudonymous email account and used that to create a new Discord account.

CAPTCHA still will not work under Firefox for me, but Microsoft Edge works well enough.