Discord says it recently discovered a security incident in which one of its third-party customer service providers was compromised, exposing personal user data submitted through support channels. Discord emphasizes that the breach did not stem from direct unauthorized access to its own core infrastructure.
The attacker(s) reportedly accessed data associated with users who had reached out to Discord’s Customer Support or Trust & Safety teams, including during appeals of age verification decisions. Among that data may be names, usernames, email addresses, contact information, IP addresses, transcripts of interactions with support, and limited billing details (such as payment type and the last four digits of credit cards). Crucially, a “small number” of government-issued ID images that users submitted for age verification appeals were also accessed. Notably, Discord reports that full credit card numbers, CCV codes, passwords, and private user messages (beyond the support interactions) were not compromised in this incident.
According to external sources citing the attackers, the stolen data includes 1.5 terabytes of files and over 2.1 million ID photos. The attackers claim to have collected data from 5.5 million unique users via over 8 million support tickets. Discord disputes these numbers, saying that they are part of an extortion effort.
Scale of affected users
In its official statement, Discord estimates that approximately 70,000 users may have had their government-ID photos exposed during the breach. The company refers to this as “a limited number” of affected accounts.
Discord says it has already initiated notifications to impacted users, indicating whether their ID photos were involved, and has revoked the third-party vendor’s access to its support ticketing system. The company also states it is cooperating with law enforcement, data protection authorities, and external security experts as it investigates the incident.
Discord says it will not pay any ransom demanded by the attackers.
Context and implications
This breach underscores the risks associated with involving third-party service providers in handling sensitive user data. Because Discord did not suffer a breach of its primary systems, the attackers were able to exploit the support system infrastructure, possibly a Zendesk environment, as the entry point. The reliance on such vendors introduces a supply chain vulnerability.
While Discord states that only “a small number” of ID images were accessed, the possibility that hundreds of thousands or millions of sensitive documents could be in the hands of malicious actors magnifies concerns about identity theft, misuse of personal documents, and exposure of deeply personal data.
For users who had to submit identification documents to resolve age verification disputes, the breach may entail a higher risk of downstream abuse of those documents. The company’s assurances that passwords and core Discord content were unaffected may mitigate some concerns, but the breach remains serious because of the highly sensitive nature of identity documents.
The full impact remains uncertain, especially since the attacker claims exceed the numbers Discord discloses. Discord’s refusal to pay ransom may lead to public release of data by the attackers, which would escalate risks for affected users.
