Over 70,000 Discord users may have had their government ID photos compromised due to a recent cyberattack on a third-party vendor.
Discord, a platform with more than 200 million global users, implemented age verification through a third-party agency, 5CA, to comply with new regulations like the UK’s Online Safety Act and the EU’s Digital Services Act. These regulations sometimes require users to submit government-issued identification, such as a driving license or passport, to verify their age. It is precisely these sensitive scans, submitted by users contacting Discord’s customer service team, that have been exposed in the breach.
While Discord initially reported a “limited number of users” affected, a subsequent update confirmed that approximately 70,000 users’ government ID photos, used for age-related appeals by their vendor, were potentially exposed.
However, reports from another source indicate a much larger scale, suggesting Discord faced an extortion attempt after hackers accessed their systems for 58 hours, starting September 20. This report claims the theft of 1.5 terabytes of sensitive data, including over 2.1 million government IDs used for age verification, impacting “5.5 million unique users across 8.4 million support tickets.” This figure significantly exceeds Discord’s public estimate of 70,000.
The information potentially leaked includes:
- Names, Discord usernames, emails, and other contact details provided to customer support.
- Limited billing information like payment type, the last four digits of credit cards, and purchase history.
- IP addresses.
- Messages exchanged with customer service agents.
- Limited corporate data (training materials, internal presentations).
- A small number of government ID images.
Discord has reassured users that full credit card numbers, CCV codes, Discord messages, posts, or any password/authentication data were not involved in the breach. Affected users will receive a direct email from Discord.
The company stated it “will continue to take all appropriate steps” in response, including frequent audits of third-party systems to ensure security and privacy standards are met. Discord has also informed relevant data protection authorities, engaged with law enforcement to investigate the attack, and reviewed its internal threat detection systems.
“We recommend impacted users stay alert when receiving messages or other communication that may seem suspicious,” Discord advised. “Our service agents are available to answer questions and provide additional support. We take our responsibility to protect your personal data seriously and understand the inconvenience and concern this may cause.”