Private Connections exposed due to bug in connections endpoint

For a relatively short time last night (), requests to the /users/{}/profile endpoint exposed profile connections for which you had "Display on profile" turned off.

Scope of the Incident

These connections were only shown to users, that met all of the following requirements:

  • Used Discord Canary
  • Were active from (UTC) to (approximately) (UTC)
  • Opened your full profile card
  • Actually paid attention to what they were shown

While it is concerning that this could happen at all, as a third party we have no reason to believe that any user on the platform was maliciously targeted by this, though that would ultimately be up to Discord to determine.

What should I do now?

The incident has been resolved at the time of writing, but to prevent this from happening in the future, we recommend that you remove any connections you have set to private unless you have no problem with them being exposed.