- A sophisticated DDoS attack knocked Bluesky offline starting April 15 at 8:40 PM ET, with outages persisting into the next day.
- Bluesky COO Rose Wang confirmed the cyberattack but said there’s no evidence of unauthorized access to private user data.
- The outage hit roughly 30 million registered users—exposing the centralized infrastructure vulnerabilities of a platform built on decentralization promises.
Bluesky went dark on Thursday evening and stayed that way for nearly 24 hours. The social media platform—a decentralized alternative to X that has attracted roughly 30 million users since its public launch in early 2024—confirmed that a “sophisticated Distributed Denial-of-Service (DDoS) attack” was responsible for widespread outages affecting feeds, notifications, threads, and search, reported TechCrunch.
The attack began at approximately 8:40 PM ET on April 15, according to Bluesky’s official statement. The company’s team worked through the night to mitigate the damage, but service interruptions dragged well into Friday. Chief operating officer Rose Wang attributed the ongoing disruptions to a sustained cyberattack that the team had not yet fully contained.
DDoS attacks are blunt instruments—not hacks in the traditional sense. Attackers flood a target’s servers with enormous volumes of junk web traffic, overwhelming capacity and knocking legitimate users offline. No systems are breached. No data is stolen. But the disruption can be total. Wrote The Verge’s Jay Peters: Bluesky “has been dealing with a DDoS attack for nearly a full day.”
Bluesky’s Decentralization Promise Meets Centralized Reality
Here’s the irony: Bluesky was built on the AT Protocol, a decentralized social networking framework designed to distribute control away from any single company or server. In theory, this architecture should make the platform more resilient to exactly this kind of attack. In practice, Bluesky’s infrastructure still runs on centralized servers that are just as vulnerable to DDoS floods as any other social media company’s.
The AT Protocol distributes identity and data across the network, but the Bluesky app and its primary relay servers remain concentrated chokepoints. When those go down, 30 million users feel it—regardless of how decentralized the underlying protocol claims to be. It’s a gap between architectural philosophy and operational reality that the DDoS attack exposed in real time.
Bluesky confirmed it has “not seen any evidence of unauthorized access to private user data” due to the attack. The company promised a follow-up update by 1 PM ET on Friday. That reassurance addresses data security concerns but doesn’t fix the underlying question: if a platform markets itself as decentralized, why does a single attack vector knock out the entire network?
The DDoS Wave Hitting Social Platforms
Bluesky isn’t alone. DDoS attacks against social media platforms and internet infrastructure have been escalating in both frequency and sophistication throughout 2025 and 2026. Cloudflare’s Q4 2025 threat report documented a 53% year-over-year increase in volumetric DDoS attacks, with social media and communications platforms among the most targeted sectors.
The attack on Bluesky comes at a particularly awkward moment. The platform has been positioning itself as the stable, user-friendly alternative to X—especially as Elon Musk’s platform continues to alienate advertisers and users. A nearly day-long outage undercuts that narrative, even if the root cause was external rather than a platform failure.
Access was reported impossible since around 9 a.m. Central European Time on Thursday, according to heise online. For users who rely on Bluesky as their primary social feed, the outage was a reminder that “decentralized” is still more aspiration than reality for most consumer-facing platforms. Bluesky status updates are expected to continue as the team works to fully restore service.