Discord, the popular social media platform, recently informed its users that it has fallen victim to a data breach. The breach was reportedly caused by a support agent’s account at a third party becoming compromised. A malicious individual then gained unauthorized access to the agent’s support queue, allowing them to expose user email addresses, Discord support messages, and attachments sent via the ticket system.
Discord, which boasts of having over 150 million monthly active users, promptly deactivated the compromised account and carried out security checks on the agent’s machine, including malware scans. The company also liaised with the third-party partner to ensure that security measures, which would prevent similar incidents of data breaches from occurring, were put in place.
As part of damage control, Discord contacted its users to warn them to remain vigilant against any suspicious activity regarding their accounts, including phishing or fraud attempts. The company took steps to reassure its users by indicating that they could safeguard their accounts by enabling two-factor authentication (2FA) and using a strong and unique password.
Reacting to Discord’s data breach, cybersecurity experts offered their observations on the importance of data protection measures and the need to check on third-party security frameworks. Jamie Boote, associate principal consultant at the Synopsys Software Integrity Group, noted that “companies need to take a top-down approach to protecting their data.” Boote added that companies should start by classifying all types of data that they would be expected to create, collect, store, or generate while cataloging where all sensitive or privacy data is collected, handled, or stored into an inventory. He emphasized that “you can’t protect something if you don’t know where or what it is.”
Alex Archondakis, Head of Professional Services at Pentest People, stated that “organisations often focus security resources on their own internal and external assets.” However, Discord’s recent data breach incident proves that “your security is only as good as the weakest link in your supply chain.” Archondakis suggested analyzing every level of the supply chain to understand the type of data or access that can be acquired from it. He also advised researching companies that are chosen for each section to ensure they perform regular penetration tests against their systems and hold relevant cybersecurity certificates.
Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, observed that the growing popularity of Discord, especially among gamers, makes it a lucrative target for cyber criminals. Hauk advised Discord users to remain vigilant against phishing emails that use email addresses obtained from the data breach.
Paul Bischoff, Consumer Privacy Advocate at Comparitech, warned users to be wary of scammers who might personalize their messages using data from the breach to make them more convincing. Bischoff advised users not to click on links or attachments in unsolicited messages.
In conclusion, data breaches have become a menace to online platforms, organizations, and businesses. Discord’s data breach is a reminder that all companies must adopt top-down data protection measures to safeguard their customers’ sensitive information. Organizations should also conduct security checks on their third-party partners as an added safety measure. Discord’s prompt action in deactivating the compromised account and liaising with the third-party partner to put security measures in place should serve as a valuable example to other companies and platforms to take proactive measures to handle data breaches and protect their users.