Discord has released an updated statement clarifying the extent of a recent security breach that exposed sensitive user data via a compromised third-party support vendor.
The communication platform, which serves over 150 million monthly active users, stated that approximately 70,000 users had their government ID photos accessed, although the attackers claim a vastly broader breach affecting millions.
The incident, initially disclosed on October 3, stems from the compromise of a third-party customer support provider used by Discord, not a direct breach of Discord's own infrastructure. According to an update on October 8, attackers accessed support-related data through this external partner and then attempted to extort Discord for ransom.
The breach primarily affected users who had contacted Discord's Customer Support or Trust & Safety teams, potentially exposing data such as usernames, email addresses, limited billing metadata (including the last four digits of credit card numbers), IP addresses, and conversation transcripts with support agents. For users involved in age-related appeal processes, uploaded government-issued ID images were also exposed, a situation that Discord now confirms impacted approximately 70,000 users globally.
Discord says the attackers specifically targeted the third-party vendor to steal user information and leverage it in a ransom demand. Upon learning of the breach, Discord immediately revoked the vendor's access to its support ticketing system, launched an internal investigation with the assistance of a leading digital forensics firm, and reported the matter to law enforcement. The company is now in the process of notifying affected users directly via email from its official domain (noreply@discord.com).
Hackers say millions exposed
While Discord has now provided detailed information about the scope of the breach, hackers claiming responsibility for the attack tell a much more dramatic story. In conversations with BleepingComputer, the threat actors allege they accessed Discord's internal Zendesk support instance for 58 hours beginning on September 20, 2025, after compromising an account belonging to a support agent employed by an outsourced business process outsourcing (BPO) firm.
The hackers claim to have exfiltrated 1.6 TB of data, including:
- 1.5 TB of support ticket attachments
- Over 100 GB of support ticket transcripts
- Information from roughly 8.4 million support tickets affecting an estimated 5.5 million users
- Around 580,000 user entries allegedly containing some form of payment-related information
They also claim that the breach granted them access to Discord's internal support tool, Zenbar, which allegedly allowed them to look up user emails and phone numbers, and even disable multi-factor authentication (MFA) on some accounts.
Reportedly, the attackers initially demanded $5 million, later reducing the figure to $3.5 million, and engaged in private negotiations with Discord until October 2. Following Discord's refusal to pay and its public disclosure of the breach, the group reportedly threatened to leak the stolen data.
Discord has firmly denied the attackers' data volume estimates, stating that only about 70,000 users had their government ID images accessed, and dismissing the inflated figures as part of the attackers' extortion tactics. The company also clarified that no full credit card numbers, CVV codes, passwords, or authentication tokens were compromised in the breach, nor were private messages or platform activity accessed beyond support ticket conversations.
Despite Discord's firm stance, questions remain regarding data retention practices, particularly why government ID images were still accessible by the third-party vendor after age verification was completed.
Potentially exposed users should remain vigilant for phishing attempts, especially messages impersonating Discord and its customer support personnel, review account activity for suspicious logins, and enable multi-factor authentication.
Leave a Reply