Featured

Mushroom.gg - leaked databases and 28 million users exposed

bun

4 min read
Mushroom.gg - leaked databases and 28 million users exposed

Did I discover a database leak with 28 million users data? Yes. Did that company shut down in response? Also yes. Am I proud of it? 100% yes.

If you are lazy and want to watch this in video form - watch here! Thank you No Text To Speech for covering this 🙏

Context

Mushroom is a popular Discord bot and website, with over 140,000 servers using the bot.

What happened?

On February 28th, I discovered that Mushroom had a public web panel for a PostgreSQL instance. On this panel, it contained what looked like production data for Mushroom, with information for users and guilds that used the site/bot. The development instance contained the production data, which, upon checking, I saw over 28 MILLION entries for users and 5 MILLION entries for guilds - that's potentially 28 million Discord users being exposed publicly. It's not easy to tell for sure how long this was public for, so I am unsure if this was accessed/discovered by any other third-parties. On March 1st, just over 24 hours later, I had a reply confirming the public web panel was taken down. According to the person I spoke to at Mushroom, it was a development instance using a snapshot of production data:

It was confirmed that roughly 6,000 users had their emails exposed:

However, despite being a "very valuable vulnerability finding", no statement was made publicly regarding this. I did contact someone I know was included in the data, but they did not recall seeing any notification or alert regarding this. Whether they contacted affected users or not I'm not sure, but something of this scale surely deserves a public announcement.

Unfortunately, this isn't even my first time finding a Mushroom issue. Less than a month before, I discovered 2 public Redis instances linking back to them which were being used for cryptocurrency mining:

This was reported to their team and was quickly fixed.

Here is an example of what data was stored (heavily redacted for obvious reasons):

Ban reasons (blurred so they can't be associated with a user)
Some of the data stored in the user DB (blurred to prevent identifiable information being released)
Replies to feedback left on the bot
Luckily, whilst they stored access tokens, they were encrypted in the database
Some of the data stored when you invite the bot to your server

Discord

I reported this issue directly to Discord's Developer Support and they confirmed it was a violation of their TOS:

Response from Discord's Developer Compliance Team

Unfortunately, no action was taken on Discord's side to step in. I chased them up and received the following response:

Timeline of events

December 15th 2022* -> Possible date of when the instance was first made available.
January 10th 2023* -> Possible date of when the instance was first made available.


February 28th 2023, 1:20 PM -> Discovered the issue and started looking into the scale of it.
February 28th 2023, 1:25 PM -> Notified someone at Mushroom of the issue.
February 28th 2023, 7:22 PM -> Notified Discord via the Developer Compliance report form.
February 28th 2023, 7:39 PM -> Discord replies, confirms it's a violation of their TOS.
March 1st 2023, 10:12 PM -> Mushroom replies, confirms it's down.
March 22nd 2023, 8:02 PM -> I remind them that they should make a statement regarding this, they replied saying "good remind, still on it and will talk to you in a few days".

In the end, I never ended up receiving a response.

* These dates are ESTIMATES only, provided by Shodan:

Closing notes

I'm disappointed with how this was handled on Discord's side - they were aware of the issue and the amount of users potentially affected, yet took no action. They could have temporarily blocked the bot (as they have done with MEE6 before), yet they did not and just let it happen.

Mushroom handled the report pretty well - they took action fast (within around 24 hours) and actually looked into the issue in order to work out how many users were potentially affected, so kudos to them. In future, I would recommend being more transparent about the issue, but otherwise they did a good job.