What happened
Bluesky attributed a widespread service outage on April 15, 2026 to a sustained DDoS attack that disrupted feeds, notifications, threads, and search functions across its platform. Engineers worked overnight to contain the attack, which intensified throughout the day before the service stabilized on April 16. Bluesky said the platform has remained stable since, despite ongoing attack traffic. No evidence of unauthorized access to private user data was found.
An Iran-linked hacker group calling itself 313 Team claimed responsibility via Telegram, saying it launched a “massive cyberattack” targeting Bluesky’s API. Bluesky has not publicly addressed the claim and had not responded to requests for comment at publication. Cybersecurity researchers have previously linked 313 Team to retaliatory cyber operations aligned with the interests of Iran-backed Shiite militias, with the group believed to operate out of Iraq and to target organizations associated with countries seen as supporting the United States or Israel.
Bluesky has grown to roughly 43.7 million users, driven in part by migration from X following the 2024 U.S. presidential election.
Who is affected
All Bluesky users experienced degraded or unavailable service during the outage period. The company confirmed no private data was accessed, so the impact was limited to availability. Organizations and individuals who rely on Bluesky for communications, brand presence, or monitoring during that window faced an unplanned disruption.
Why CISOs should care
The attribution claim here is unconfirmed, and Bluesky hasn’t addressed it. But the broader pattern is worth noting. Iran-linked groups have been increasingly active against Western-aligned platforms and infrastructure, and social media services are becoming more common targets as geopolitical tensions translate into digital pressure campaigns. For security leaders, the more operational question is how their organizations would handle a sudden loss of a communication platform they depend on, whether for internal coordination, public communications, or threat intelligence sharing.
3 practical actions
- Map communication platform dependencies for your incident response workflows: If Bluesky, X, or similar platforms are part of how your team shares threat intelligence or coordinates during incidents, identify backup channels now rather than during an outage.
- Monitor Iran-linked threat actor activity given current geopolitical conditions: With 313 Team and affiliated groups showing increased targeting of Western-associated platforms, factor this threat profile into your current risk assessments, particularly if your organization has visible ties to U.S. or Israeli interests.
- Review your organization’s own DDoS resilience posture: A platform with tens of millions of users experienced multi-day disruption from a sustained attack; use this as a prompt to validate whether your own public-facing infrastructure could absorb similar sustained volumetric pressure.
For more news about attacks disrupting systems and services, click Cyberattack to read more.