Data breach
Discord data breach via third-party vendor exposed 70,000 users' government IDs ...
A significant data breach at a third-party customer service provider used by Discord has compromised the sensitive government ID photos of approximately 70,000 users, the company confirmed in an October 9th update. The incident, which occurred on September 20th, underscores the growing vulnerability of user data through supply-chain attacks, even when core platforms remain secure .
Hackers, identifying as "Scattered Lapsus$ Hunters (SLH)," gained access to the vendor's support system for 58 hours. While they claim to have exfiltrated 1.6 terabytes of data affecting 5.5 million users, including over 2 million ID photos, Discord has refuted these figures, stating they are "inaccurate" and part of an extortion attempt. The company has refused to pay any ransom.
The table below summarizes the compromised and safe data based on Discord's official advisory.
| **Data Potentially Exposed** | **Data Confirmed Safe** |
| :--- | :--- |
| Government ID photos (e.g., driver's licenses, passports) | Full credit card numbers & CVV codes |
| User names, Discord usernames, & email addresses | User account passwords |
| Messages with customer service agents | Private messages & activity on Discord platforms |
| IP addresses & limited billing info (last 4 digits of credit cards) | |
### Third-Party Weak Link
The breach did not result from a flaw in Discord's own infrastructure. Still, it was executed by compromising a support agent's account at its third-party customer service provider, identified in some reports as 5CA. This vendor was responsible for handling age-verification appeals, a process that requires users to submit highly sensitive government identification.
This incident exemplifies a **supply-chain attack**, where cybercriminals target a less-secure partner to bypass the primary company's defenses. Discord has since revoked the vendor's access to its ticketing system.
### Age-Verification Debate
The exposure of thousands of government IDs has intensified the debate around online age-verification laws. Platforms like Discord are increasingly required by regulations, such as the UK's Online Safety Act, to confirm users' ages, often leading to the collection of highly sensitive documents.
Privacy advocates warn that this creates a dangerous precedent. **"Age verification systems are surveillance systems,"** said Maddie Daly of the Electronic Frontier Foundation. She further noted that such systems leave users "highly vulnerable to data breaches and other security harms, as we see time and time again".
### Actionable Guidance for Affected Users
Discord is directly notifying impacted users via `[email protected]` and will not use phone calls for this communication. If you receive this notification or have previously contacted Discord support, you should:
- Be suspicious of unsolicited emails, calls, or messages that ask for personal information or direct you to click on links .
- Ensure any email claiming to be from Discord comes from the `[email protected]` address.
- Add an extra layer of security to your Discord account and other critical online accounts.
The breach is a stark reminder of the cascading risks posed by third-party vendors. As Nathan Webb, a principal consultant at Acumen Cyber, stated, **"Despite age verification being outsourced, businesses still have an accountability to ensure that data is stored appropriately"**.
Discord said it has notified data protection authorities and is working with law enforcement on an ongoing investigation.
