Bluesky Restores Service After Iran-Linked 313 Team DDoS Attack, Confirms No User Data Breach

TL;DR: Bluesky suffered a multi‑day DDoS attack claimed by the Iran‑linked 313 Team, service was restored by April 20 and the platform confirmed no user data was accessed.

Context Bluesky’s feed refreshes stopped at 11:40 PM PDT on April 15, 2026, halting notifications, search and thread loading for millions. The outage persisted as attackers flooded the platform’s API with junk traffic, overwhelming the communication path between apps and servers. By April 18 Bluesky issued a statement denying any unauthorized access to user data, and a final update on April 20 declared the service stable again.

Key Facts - The 313 Team, also known as the Islamic Cyber Resistance in Iraq, claimed responsibility for the attack on Telegram. - Bluesky confirmed on April 18 that there is no evidence of unauthorized access to private user data. - The group has ties to Iran and previously targeted Bahraini government sites and mastodon.social on April 20. - The attack pattern matches a classic volumetric DDoS (MITRE ATT&CK T1498) aimed at disrupting availability rather than exfiltrating data.

What It Means DDoS incidents like this highlight the reliance of social platforms on API availability and the need for scalable traffic‑absorbing defenses. While user data remained intact, the disruption affected user engagement and trust, underscoring that availability attacks can have reputational and operational costs comparable to breaches.

Mitigations Defenders should implement layered DDoS protections: enable rate limiting and request throttling at API gateways, deploy anycast‑based scrubbing services, and configure web application firewalls to drop traffic matching known attack signatures (e.g., SYN flood, UDP amplification). Monitor for anomalous spikes in inbound bandwidth and packet rates using IDS rules aligned with MITRE ATT&CK T1498/T1499. Regularly test upstream bandwidth contracts and maintain an incident‑response playbook that includes traffic‑diversion and communication templates for users.

Watch for any resurgence of the 313 Team targeting other decentralized social platforms or for Bluesky’s post‑mortem details on API hardening measures.