In a significant cybersecurity incident, Discord, the widely used communication platform, has become the target of an extortion attempt following a data breach at one of its third-party customer service providers, Zendesk. The breach, which occurred on September 20, 2025, has led to the unauthorized access of sensitive user information, including government-issued identification photos.
Details of the Breach
The attackers claim to have exfiltrated 1.5 terabytes of data, encompassing over 2.1 million government-issued ID photos used for age verification purposes. However, Discord disputes these figures, stating that approximately 70,000 users had their ID photos exposed. The breach did not compromise Discord’s primary servers but targeted its customer support systems managed by Zendesk. The unauthorized access was achieved by compromising the account of a support agent employed by an outsourced business process provider, allowing the attackers to maintain access for 58 hours.
Scope of Compromised Data
The breach primarily affects users who interacted with Discord’s Customer Support or Trust & Safety teams. The stolen data includes:
– Full names
– Discord usernames
– Email addresses
– Limited billing information (payment type and last four digits of credit card numbers)
– Messages exchanged with customer service agents
– User IP addresses
The most concerning aspect is the theft of government-issued ID images, such as driver’s licenses and passports, submitted by users to appeal age-related account restrictions. While the attackers claim to possess over 2.1 million of these photos, Discord has labeled this figure as inaccurate and part of the extortion effort. The hackers allege that the data haul affects 5.5 million unique users across 8.4 million support tickets. In contrast, Discord’s investigation has identified approximately 70,000 affected users globally whose IDs may have been exposed.
Response and Mitigation Efforts
Upon discovering the incident, Discord took immediate action by revoking the compromised vendor’s access to its ticketing system and terminating its partnership with them. The company has launched an internal investigation, engaged a leading computer forensics firm, and is collaborating with law enforcement and data protection authorities to address the attack. Discord has stated it will not pay the ransom demanded by the cybercriminals.
The company is in the process of notifying all affected users via email from the address [email protected] and has warned users that it will not contact them through any other channel regarding this matter. The notification email will specify if a user’s government ID was part of the compromised data. Discord has assured its community that the breach did not expose full credit card numbers, passwords, or private messages and activity outside of customer support interactions.
Implications and Recommendations
This incident underscores the growing threat of supply chain attacks, where attackers target less secure third-party partners to access the data of larger organizations. Users are advised to remain vigilant for potential phishing attempts and to monitor their accounts for any suspicious activity. Implementing multi-factor authentication and regularly updating passwords can provide additional layers of security.
As the situation develops, the full impact will depend on whether the threat actors follow through on their threat to release the stolen data. Discord’s proactive measures and transparent communication are crucial steps in mitigating the effects of this breach and maintaining user trust.
