Popular social media platform Discord has notified users it has suffered a data breach after a support agent’s account at a third party became compromised.
A malicious individual then gained unauthorised access to the agent’s support queue, exposing user email addresses, Discord support messages and attachments sent via the ticket system.
Discord – which has a user base of over 150 million monthly active users – has deactivated the compromised account and undertaken security checks on the agent’s machine, including malware scans.
The social media platform has collaborated with the third-party partner and has ensured security measures have been put in place, so such an incident is avoided going forward.
Discord has contacted users warning them to remain vigilant of any unusual activity regarding accounts including phishing or fraud attempts.
Commenting on the news and offering insight are the following cybersecurity experts:
Jamie Boote, associate principal consultant at the Synopsys Software Integrity Group, said “Companies need to take a top-down approach to protecting their data. It starts with policy and standards that classify all types of data the company would expect to create, collect, store, or generate. Once these data classification standards are in place, companies then need to catalogue where all sensitive or privacy data is collected, handled, or stored into an inventory. You can’t protect something if you don’t know where or what it is.
Alex Archondakis, Head of Professional Services at Pentest People, comments; “Organisations often focus security resources on their own internal and external assets, however, this attack proves that your security is only as good as the weakest link in your supply chain. Every level of the supply chain should be analysed to understand what type of data or access can be acquired from exploiting it. The company chosen for each section should be researched to ensure that they perform regular penetration tests against their systems and hold relevant cyber security certificates such as Cyber Essentials Plus. In the case of third parties storing your sensitive data, one should ensure that anyone with access to it has been through relevant vetting procedures.”
Chris Hauk, Consumer Privacy Advocate at Pixel Privacy said, “The growing popularity of Discord, especially among gamers, makes it an increasingly attractive target for the bad actors of the world. Discord users must remain alert for any phishing emails using the email addresses gleaned in the data breach.”
Paul Bischoff, Consumer Privacy Advocate at Comparitech added, “Scammers might personalise their messages using data from the breach to make them more convincing. Never click on links or attachments in unsolicited messages!”