Discord — Data Breach
Executive Summary
Reports revealed that Spy.pet, a data scraping service operating since November 2023, had harvested over 4 billion public messages from 14,000+ Discord servers and built profiles on 620+ million users, selling the data for cryptocurrency. Discord banned all affiliated accounts and took the site offline by late April 2024, stating it was considering legal action.
What Happened
A data scraping service called Spy.pet operated since November 2023, harvesting over 4 billion public messages from more than 14,000 Discord servers and building profiles on over 620 million users. The service sold access to this aggregated data for as little as $5 in cryptocurrency, organizing information by user profiles that included aliases, pronouns, connected accounts, Discord servers joined, and public messages. Discord responded by banning all affiliated accounts, taking the site offline by late April 2024, and stating it was investigating the matter for potential legal action.
Who Is Affected
Over 620 million Discord users across more than 14,000 servers are affected, with their public messages and profile information compiled into searchable databases. The aggregated data is particularly concerning for users whose activity across disparate servers has been consolidated into single profiles that can be looked up by anyone with a Discord User ID and cryptocurrency. The service scraped data that may include information about minors and EU citizens, raising additional legal concerns about consent and data protection rights.
Why It Matters
This incident demonstrates how publicly accessible data can be weaponized when aggregated at scale, effectively removing the privacy-through-obscurity that Discord users may have assumed when their activity was spread across separate servers. The ease of access to this data for as little as $5, available on the regular web rather than requiring specialized access, significantly lowers the barrier for potential stalkers, law enforcement, or other third parties to comprehensively monitor individual users. The service's operation also highlighted potential violations of laws protecting minors and EU data protection regulations, while Discord's response indicated the company views such scraping as violating its Terms of Service.
What You Should Do
Discord users should review their privacy settings and consider limiting what information they share publicly on the platform, including connected accounts and profile details. Users can check if their data has been exposed by using digital footprint scanning tools with their email address. EU citizens and parents of minors who believe their data was included should document the incident, as the scraping may have violated data protection laws in their jurisdiction.
AI-Assisted
Event summaries are generated by Claude AI from verified sources and reviewed by humans before publication.
Sources