The popular communication platform Discord has confirmed a major security incident involving a third-party vendor, resulting in the exposure of sensitive personal data, including the government-issued photo IDs of approximately 70,000 users globally.
The breach was not a direct attack on Discord’s core system but a compromise of an external customer service provider used for support and age verification appeals.
The incident, which was discovered in late September, targeted data shared by users who had reached out to Discord’s Customer Support or Trust & Safety teams.
The attackers gained access to a database containing personal information related to customer service requests. The most concerning data exposed were:
Discord has stressed that users’ in-app messages and passwords were not compromised.
Discord has been clear that this was not a breach of their main platform and that the unauthorised party is attempting to extort a financial ransom from the company.
Confirming the scale of the ID exposure, they stated, “Of the accounts impacted globally, we have identified approximately 70,000 users that may have had government-ID photos exposed, which our vendor used to review age-related appeals.”
Discord immediately took action which included revoking the vendor’s access to their ticketing system and engaging law enforcement. The company is actively notifying all affected users.
Discord advises users to look for official communication only from a specific email address.
“If you were impacted, you will receive an email from noreply@discord.com. We will not contact you about this incident via phone.”
