back to article Discord.io pulls the cord after crooks steal 760K users' info

Discord.io has shut down "for the foreseeable future," after crooks stole, and then put up for sale, data belonging to all 760,000 of the service's users. The attack happened on Monday night"resulting in content from our database being leaked to unknown actors," according to a notice on the Discord.io website. After swiping …

  1. Pascal Monett Silver badge

    Good and bad here

    Bad points for the break-in. Shoddy code ? That's a shame.

    But A+ for handling the fallout. Full admission of the break-in, without pussy-footing about the issue. Passwords salted and hashed, miscreants aren't going to be able to do much with that. Premium subscriptions reimbursed, can't fault them there.

    Promise to do better ? You betcha.

    There are a lot of companies who could take notes here.

    1. MJB7
      Boffin

      Re: Good and bad here

      > Passwords salted and hashed, miscreants aren't going to be able to do much with that

      Depends _how_ it is hashed. If it PBKDF2 with 1000 iterations of SHA1, it'll take longer to download the data than to find if the password is one of the top 1000 passwords.

      If they are following OWASP recommendations and using Argon2id with a minimum configuration of 19 MiB of memory, an iteration count of 2, and 1 degree of parallelism then I agree. However "following OWASP" probably isn't the way to bet in this case.

      ... but I do agree that they deserve plaudits for being upfront about the situation.

    2. SnailFerrous

      Re: Good and bad here

      Also kudos for no canned "protecting our customer's data is our highest priority" statement.

    3. CowHorseFrog Silver badge

      Re: Good and bad here

      Given how quick they came to the conclusion their code is bad... why didnt they close it down before the breakin ?

  2. Twaswiz

    Honesty

    In a world of obvious and not so obvious lies, it is refreshing to see honesty and openness.

    You know when a store is great to deal with when you have a problem and they handle it well.

    Same goes here, this should improve our trust in Discord as an organisation in the long run.

    1. Zippy´s Sausage Factory

      Re: Honesty

      This isn't discord though, it's a third party service that connects to it. Like imgur used to be in regards to Reddit.

  3. steviebuk Silver badge

    Question is

    Did they ever bother to pony up for any security testing of the current state? I'm assuming not.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like