In their statement Discord says that they immediately deactivated the account as soon as they became aware of the incident as well as the type of information that might have been exposed. They have not (as of this writing) said how long the attacker was using the compromised account, or if the attacker tried to access any other internal systems. The current risk is called limited with Discord users being advised to be on the lookout for fraud and phishing attempts.
Discord is a very popular platform for many people to use for gaming, general messaging etc. It hosts millions of “servers” which are really just chat groups and upwards of 150 million monthly users. They have been targeted before (as have other messaging platforms) as it is a great way for an attacker to insert themselves into an otherwise trusted platform.
For their part Discord says they have worked with their support provider on implementing new security practices as a preventative measure. What these are or how the account was compromised in the first place is anyone’s guess at this point. Still, it highlights something that everyone should be aware of, third-party risk. Even consumers should think about this as third parties are often the target as part of a campaign against a much larger organization. Here Discord was the obvious goal, and the insecure partner allowed access. As a customer/user of an organization the security of your information is very often in the hands of groups that are not even known to you. To make things even more awkward, most of these third parties also have their own services that they allow others to run so now you have fourth-party risk to worry about as well. Isn’t security fun?