Discord has revealed that approximately 70,000 users might have had their government-issued identity document images exposed through a breach of a third-party customer service provider (via The Verge).
The company has confirmed that this was not a direct hack of Discord’s own systems, but rather an attack on a support vendor tied to the platform.
In its official update, Discord emphasized that the breach impacted a support service provider it uses rather than its internal infrastructure. The compromised vendor handled age verification appeals, meaning the government ID images that were exposed belonged to users who submitted documents to prove their age.
Beyond the ID images, the attack may have revealed other data fields. Discord acknowledges that names, usernames, email addresses, IP addresses, and the last four digits of credit cards might have been accessed. The company clarified that full credit card numbers, passwords, and private messages beyond support tickets were not among the exposed data.
Hackers behind the incident claimed they were extorting Discord. Some public assertions listed much larger figures — for instance that 1.5 terabytes of age verification images and over 2 million documents were stolen. Discord disputes those numbers and says they are part of a ransom negotiation.
As soon as it learned about the breach, Discord revoked the affected support vendor’s system access and isolated related systems. The company also engaged forensic teams, notified regulators, and is working with law enforcement. Affected users have been informed via email, with more detailed notices for those whose ID images were involved.
The exposure of ID images presents serious identity theft risks. Even without full credit card or password compromise, details such as names, emails, IP addresses, and support history can assist malicious actors in phishing or impersonation attacks.
Users who submitted IDs to Discord as part of appeals should check their inbox for notification from Discord. Those who receive alerts should monitor credit reports, be on the lookout for phishing emails, and consider placing fraud alerts with identity protection services.
Want to see more of our stories on Google?
P.S. Want to keep this site truly independent? Support us by buying us a beer, treating us to a coffee, or shopping through Amazon here. Links in this post are affiliate links, so we earn a tiny commission at no charge to you. Thanks for supporting independent Canadian media!
Great. After my session token theft discord hack back in March, I’m still freaked out on how quickly 2fa was circumvented.
I don't remember sending my ID to Discord, but I think they have my mobile number.