Discord, the widely-used voice and text communication platform with over 200 million monthly users, has acknowledged a serious data breach affecting a large subset of individuals who submitted government IDs for age verification. In an official statement on October 3, 2025, the company confirmed the incident, which was detailed by Hackread.com, noting that the breach did not compromise Discord’s core systems.
In a follow-up update dated October 8, 2025, Discord indicated that approximately 70,000 users may have had images of their government-issued IDs exposed. Importantly, the breach did not occur directly within Discord’s infrastructure but rather through a third-party customer service provider. This incident underscores a vulnerability that many organizations face when relying on external vendors for operational support.
Investigation into the breach revealed that malicious actors reportedly accessed a customer support system through an outsourced service partner’s account, beginning on September 20, 2025, and lasting approximately 58 hours. The attackers claimed they infiltrated Discord’s Zendesk instance by compromising a support agent’s account, showcasing a common tactic outlined in the MITRE ATT&CK framework which includes techniques such as initial access through credential theft.
Contrasting Claims and Extortion Allegations
While Discord has communicated that around 70,000 IDs were compromised, the attackers claim a much larger target pool. Notably, reports indicate that the hackers assert they have stolen 1.5 terabytes of data, which may include ID photos linked to 2.1 million Discord users. In a separate report by VX-underground, it was suggested that the attackers also accessed sensitive data via Zendesk’s internal support application, allowing actions like disabling multi-factor authentication and accessing user phone numbers and email addresses.
The attackers allege involvement of 521,000 age-verification tickets, significantly outpacing Discord’s figures. In response, Discord has firmly stated that claims made by the attackers, including inflated numbers, are part of an extortion effort. This statement also served to clarify the situation, reinforcing that the breach did not originate from Discord itself.
“This was not a breach of Discord, but rather a third-party service we use for customer support. The figures being circulated are incorrect and part of an extortion attempt,” stated Discord.Discord
Discord confirmed it has notified all potentially impacted users and is collaborating with law enforcement agencies, data protection authorities, and external security experts to manage the situation. The company emphasized the need for strong security measures, revealing that affected systems have been secured and that they have severed ties with the vendor involved. Protecting user data remains paramount, especially in light of the scrutiny that follows such incidents.
Recommended Security Measures for Affected Users
The breach may have exposed personal information including names, usernames, email addresses, IP addresses, and fragmentary payment details such as the last four digits of credit cards. However, Discord has assured users that full credit card details, passwords, and authentication tokens were unaffected.
Users impacted by this breach should immediately activate multi-factor authentication on both their Discord accounts and associated email accounts, and be vigilant against potential phishing attacks. Official communications from Discord will only originate from a designated email address. If your government ID was compromised, it is advisable to keep a close watch on financial statements and credit reports to mitigate risks associated with identity theft.
