Private Connections exposed due to bug in connections endpoint
Interested in even more Discord news? Want to talk about it with other like-minded people? Come and join over 37400 members on our Discord server!
For a relatively short time last night (), requests to the /users/{user.id}/profile
endpoint exposed profile connections for which you had "Display on profile" turned off.
Scope of the Incident
These connections were only shown to users, that met all of the following requirements:
- Used Discord Canary
- Were active from (UTC) to (approximately) (UTC)
- Opened your full profile card
- Actually paid attention to what they were shown
While it is concerning that this could happen at all, as a third party we have no reason to believe that any user on the platform was maliciously targeted by this, though that would ultimately be up to Discord to determine.
What should I do now?
The incident has been resolved at the time of writing, but to prevent this from happening in the future, we recommend that you remove any connections you have set to private unless you have no problem with them being exposed.