Thankfully I never used this website exactly because I feared this.
There was a link to join a discord server via Discord.io that showed as a top Google result.
I clicked it not even aware it was 3rd party. Thankfully OAuth gave me the friendly confirmation page saying "You are about to connect with this third party service and grant full access to your account."
I said WTF? NO
Shame on the Discord legal team and their executive team for completely lacking diligence on this.
If Discord was allowing this website to run for so long using this brand, don't they risk losing the trademark because of the dilution due to non-enforcement ?
> The circumstances under which a company could actually lose a trademark—such as abandonment and genericide—are quite limited. Genericide occurs when a trademark becomes the standard term for a type of good (‘zipper’ and ‘escalator’ being two famous examples). This is very rare and would not be a problem for Canonical unless people start saying “Ubuntu” simply to mean “operating system.” Courts also set a very high bar to show abandonment (usually years of total non-use). Importantly, failure to enforce a mark against every potential infringer does not show abandonment.
Yes. Trademark law says the use of a trademark as a trademark is an issue. Using the discord logo to link to a discord channel is fine. Allowing a site to be named Discord with a different TLD is using a trademark as a trademark and that can have consequences. The whole point of trademark is to distinguish goods/services and by failing to prevent the use of discord.io they kinda dropping the ball here in my opinion.
No, it’s still trademark infringement. Especially since it relates to the same product. It would be different if they were unrelated but this is about as bad as infringement and brand confusion can get. Any competent legal OR marketing team would have sent them a C&D ages ago.
If Discord.io was using OAuth then this would largely be a non-issue as those tokens could be invalidated or revoked, by Discord, trivially. And they wouldn't have any password data, hashed or otherwise.
Granted, I don't use discord.io , so maybe I'm missing something.
> Salted and hashed passwords (mainly concerning users prior to 2018 when Discord.io began exclusively using Discord for logins)
So it sounds like they used to have their own accounts before integrating via Discord OAuth, and some users may be affected by this. Unsure if they didn't delete users' hashed PWs once they migrated to the OAuth flow or something like that.
Based on the screenshot it would seem they do have hashed passwords, specifically it looks like bcrypt hashes with a cost factor of 8. Not sure why the cost would be so low, or indeed why the hashes are available at all.
Normally I think it's lame when a product-for-a-product (there's probably a better term) has to abide by stringent branding guidelines to not look official. e.g. when third-party reddit clients (RIP) had to change from e.g. "Reddit Sync" to "Sync for Reddit" and they weren't allowed to use the Snoo character in their branding.
But in this case... why was Discord fine with this branding? It looks unabashedly like an alternate official domain for their own service. Googling "what is discord.io" leads to a good handful of confused redditors asking if it's legit/safe.
I'm guessing the British Indian Ocean Territory doesn't have a lot of administrators to handle trademark claims. According to Wikipedia, "the only inhabitants are British and United States military personnel, and associated contractors, who collectively number around 3,000 (2018 figures)."
Darn that global Internet, allowing people to use unauthorized chat clients with impunity!
.io domain is officially administrated out of the UK and is own by Ethos Capital, a private equity firm out of the US. Surely both the American and/or UK courts would be valid avenues for enforcement.
There are other ways to shut down a third-party service, from sending a cease and desist letter for trademark infringement to server-side blocking of access to their API.
A sense of discord washes over me as I eat an apple in front of a computer running XWindows. A lesson about using a common English words as a trademark becomes apparent in my mind.
>Darn that global Internet, allowing people to use unauthorized chat clients with impunity!
The problem here is that people are chosing to use Disord despite the fact that it is so stupidly proprietary. If Discord actually enforced it's rules all the time there'd have been far fewer teamspeak/irc/mumble/etc people lured into it's walled garden. It is a literal bait and switch.
So it's important to point out a large fraction of the ways people do use Discord are actually very much against the TOS and could be prosecuted under the CFAA as felonies if Discord corporate thought they were rocking the boat and decided to buy a district attorney. It's the worst of both worlds.
> people are chosing to use Disord despite the fact that it is so stupidly proprietary
This has zero relevance to normal users. Does teamspeak/irc/mumble/etc even support live streaming with screen+audio capture to a group chat? That's a pretty basic feature in 2023. I'm not aware of any serious open source competitors in this space
It was primarily a way for non-partner servers to have permanent, readable invite links before these became available officially (by paying users boosting a server). It wasn't actually a third party interface that recreated the discord client or anything (unless that's a recent development).
Ok so when I've never used a 3rd party discord service I'm safe.
I got scared there for a moment, but then I thought what would I lose? Nothing at all. Nothing that can't be replaced.
No contacts worth keeping.
Having OAuth creds is a totally different thing than having access to your account. I support "Log in with Discord" on my site that uses the OAuth flow and the only thing I get out is a set of creds that can hit /user/@me and let me say "the user that just authed is this Discord user." Now discord.io could have asked for everything but the risk of some random integration is on average a lot less. To my knowledge absolutely nothing has the rpc scopes.
The good news is that even with every scope you can't take over the account and the service can just be removed cutting off their access for sure.
Why are all the other replies so mysterious and LARPy?
https://discord.io/ has been replaced with a termination notice, and they directly mention where the credentials are being sold. Google the name, it's the top result.
Leaked credentials are sold on the open internet, on sites indexed by search engines. This isn't some quadruple proxy Anonymous hacker TOR exclusive club.
Edit: One better - any time you hear Microsoft, or Google, or Crebs, talking about some new "advanced" "Russian" "APT", 9 times out of 10 it's a kid posting on one of these forums, reselling stale credentials, or a fork of Mirai, or some other totally non-credible threat.
This stuff is WAY less cool than people make it seem.
Various darknet fora. Certainly nowhere on clearnet. There are search engines that deal with such things though I'll bet there's a 99:1 ratio of scam to legit. I have no idea how someone world go about validating what they saw.
1. confirming the emails were not already listed in other databases / leaks;
2. going to the actual Discord platform and performing a "Forgot Password" request, entering a stolen email, and seeing if it goes through or not, as Discord confirms if an email exists or not during this flow;
3. contacting Discord.io directly, who confirmed & put out a statement.
Other data breaches are harder to verify. Troy Hunt (owner of haveibeenpwned.com) described this in far more interesting ways than I ever could[0], but for each breach, it varies.
Until recently, every time a story was run about a leak being "for sale on the dark web", you could visit raid forums or breach forums, both clearnet sites, and note that's where it's for sale.
Validation is likely tied to reputation - such as by showing a sample to an established moderator / community member and them vouching that the data seems real.
I have a directory of most of them, I would not post it under my real identity obviously, but if you happen to be into the cybersec space, definitely you came across some of these sites, there are even sites with latest APT discovered up to this month too.
To those who used discord.io, what was the appeal of it over discord.gg? Unfortunately their site is down so I can't even see what its own marketing said.
How would one know if they're affected? I use discord but have no recollection how I signed up .. probably via first search hit (which could be an add)
Google also has their own people seemingly trolling through onion sites buying up packages of cracked data so they can run it against their own properties and see if anyone is affected.
It sounds like one would needed to have connected their discord account with this separate discord-related app. If you didn’t do that, I would expect your account wasn’t breached.
[e: i apparently mistook discordio for a couple of the other discovery platforms we utilized, but it seems to be the same concept as the others, looking at the web archives]
discordapp back then was really just a collection of servers pretty siloed/insulated from each other, with barebones voice and text chat functionality.
discordio offered some basic form of discovery and cross-server exploration/networking when it was effectively nonexistent back then. it, along with other outreach efforts on our part, certainly helped boost our community size and amusingly also attracted a lot of teens approaching us to ask if we wanted to "partner up" with their server (i help administer a studygroup server on discord).
anyway, 'partnered', to my recollection, means a formal arrangement with discord where the particular server community is directly promoted by discord on front pages and such, in exchange for meeting a higher bar of conduct that represents a model community (SFW, PC, etc.).
one of the perks that comes with this is being granted "Level 3" boost status, free of charge (normally costing anywhere from $49-70/mo, depending on circumstances), which is what directly grants the custom link feature.
Do you still have it? I believe a discord I was on had it too, but then they made it a paid feature (boosting) and started taking it away from smaller discords. Or maybe yours got grandfathered.
And this is exactly why companies protect their trademarks. A site called discord.io which offered services on top of Discord but wasn't affiliated with it in any way (but tricked users into believing so by using its logo and screenshots) should have been nipped in the bud a long time ago.
Apparently, this sort of thing happened to Mr. Beast with regards to Mr. Beast Burger. Even though his agreements/contracts forbade the company making the virtual restaurant supplies from doing so, that company trademarked his likeness and brand in half a dozen foreign countries. He's currently suing them for damages, and for not paying him the agreed amount for his participation. (Apparently, they had paid him $0!)
He created the idea at the beginning of the pandemic. His thought process was that the Mr Beast brand would allow smaller stores to carry his product and incentivise people to buy take out from those shops and help during lockdowns.
I don't believe the contract between him and VDC is out outlining the contractual obligations, SLAs, trademark and marketing issues etc.
Not really anything super wrong with it, other than perhaps it would be harder to air grievances with them because there’s usually nowhere to go, and QC issues.
“Ghost Kitchens” have a more nefarious connotation than “delivery only” though because often it will be a single kitchen yet be advertised as many distinct restaurants. I saw one in one major city that was something like fifteen “different restaurants” operating from the same small space, which is sketchy.
But I think the person to whom you’re responding was relying more on the word “thousands” here. So given the connotation I think opening thousands of these things is pretty sketchy for some random YouTube personality with presumably no experience with restaurants to be opening simultaneously.
should be no different than any other franchisee. If you are worried about them ruining your reputation then you should QC them with secret shoppers, inspectors, etc.
(Don't read if you don't want spoilers. Exit Through the Gift Shop is phenomenal and should be watched without knowing about this guy. Watch it, then read the Wikipedia article for yet another surprise.)
Try to register a company called Apple that builds iPhone apps and you will find out pretty quick how well a sector-specific trademark can be enforced.
And then when we go and search in USPTO we can see the registrations they have for the name “Discord”
For example they have
> Word Mark DISCORD
> Goods and Services IC 045. US 100 101. G & S: Social networking services in the field of gaming. FIRST USE: 20181000. FIRST USE IN COMMERCE: 20181000
> Goods and Services IC 041. US 100 101 107. G & S: online game services, namely, providing on-line computer games; organizing community cultural events; organizing community sporting events, organizing educational seminars, workshops, and conferences in the field of communications, online gaming, online communities and social media; providing non-downloadable webinars in the field of communications, online gaming, online communities and social media
> IC 042. US 100 101. G & S: rental of computer game programs and computer game software; online game services, namely, providing temporary use of online non-downloadable game software; providing computer game subscription-based temporary use of non-downloadable game software
And they have another few as well probably. Didn’t read all of them.
With this Discord can protect themselves and their reputation within their own verticals.
Other people can still have a decent chance of being able to register a trademark for an unrelated product or service named “Discord”, as long as it is noticeably unrelated to the existing marks.
So for example maybe I could start a theatre and get a trademark named “Discord” accepted for my theatre.
A long time ago I registered windowsupdate.ms and put a small timeline there about the technological advancements we've made to windows over time— from holes in the wall, to grease paper, to bullet proof glass.
This is going to get harder unless the US government or US tech companies censor the Internet to block ones that don't follow US affiliated trademark law. Which I hope you wouldn't support.
Maybe the lazy dog should get a part-time job like rescuing people in the Alps while carrying a little barrel of liquor or barking at people with drugs, money or fruit at the airport.
Yeah, he has his own separate account and a video channel.
This way both my partner and I can check up on him if we both leave the house for longer and it's noisy outside. He's a rescue and sometimes gets anxious/loud, but he's getting better.
Side effect: once I came home to spot him with my brothers who live across the continent chatting and drinking beer.
That’s an excellent idea for rescues. I’m going to pass a link to your comment to a couple of friends who are heavily involved in animal rescues - it sounds like an excellent way to help dogs through trauma! Thanks so much for sharing!
Your last paragraph gave me a funny mental image of your dog sitting in front of a monitor, beer in paw, chatting with your brothers! :)
Probably most, considering it's Discord's logo and screenshots of their app used in the article, and discord.io isn't loading with 522 errors right now so you can't exactly check.
.io has been used as a sort of general-purpose tld to signal sort of… I dunno, hip, dev-focused sites, right? It is at least slightly less novel than gg.
Agree, but it’s important to point out that .gg grew popular in the gaming crowd because “gg” in gaming means “good game”. It’s used in-game in the chat by many players of online multiplayer games as a way of thanking each other after a match. It can be used sincerely or it can also be used sarcastically but in the latter case you’d typically say “ggez” as a taunt implying that the win was easy (“ez”) because you are more skilled than your opposing team.
And for .io of course that one is/was popular among tech companies because it looks similar to “I/O” (input/output).
It's definitely not just me but I only have a data point of one to use: Anytime I see something that isn't .com, .org, or .gov I immediately assume it's less than reputable at best and actively trying to scam/phish me at worst.
It had been that companies that “made” it would eventually pick up the .com. But it seems like it is more common to stick with whatever TLD they had before.
As an American I don't trust most things with a .us TLD. I wouldn't trust another country's TLD, either. But like I said originally -- this is just me. I'm sure others feel like I do but I am not trying to speak for them.
You can, of course, treat domains however you like, but it would be unfortunate to extend your approach worldwide. In many, many other countries the local domain is a strong signal of trust, often more so than a .com/.org.
Thinking through websites I use in Denmark, I struggle to recall one that isn't .dk.
Supermarkets (netto.dk, foetex.dk), public transport (dsb.dk, m.dk, cph.dk), newspapers/TV (politiken.dk, berlingske.dk, dr.dk), University (ku.dk, au.dk), local government (kk.dk), other retailers (computersalg.dk, proshop.dk, elgiganten.dk) ...
The largest grocery delivery company uses nemlig.com, and Ikea uses ikea.com.
As another example, if I'm applying online for a visa to Thailand, that site had better end .th.
Getting a custom URL for a Discord server (e.g. discord.gg/hackernews) requires 14 "server boosts" which cost $35/year each, so nearly $500/year. There's a discount if you have their premium Nitro package, but even then it's something on the order of $300.
Meanwhile discord.io is free and you won't lose your URL to a crypto scam server when someone forgets to renew their boost. Kind of inevitable that such a service would pop up.
There was a link to join a discord server via Discord.io that showed as a top Google result.
I clicked it not even aware it was 3rd party. Thankfully OAuth gave me the friendly confirmation page saying "You are about to connect with this third party service and grant full access to your account."
I said WTF? NO
Shame on the Discord legal team and their executive team for completely lacking diligence on this.