- A third-party customer support provider was breached, exposing around 70,000 users’ ID photos worldwide.
- Exposed data may include names, usernames, emails, IP addresses, and last four digits of payment cards; no passwords or full card numbers were taken.
- Discord contacted affected users, secured systems, ended work with the vendor, and is cooperating with law enforcement and data protection authorities.
- Claims of a 1.5 TB cache tied to age verification were deemed inaccurate and linked to an extortion attempt, according to a spokesperson.
Discord has confirmed a security incident involving a compromised third-party customer support provider, resulting in the exposure of ID document photos for roughly 70,000 users worldwide. While the company stresses its core systems were not directly accessed, the breach affected a vendor that helps review age-related appeals on the platform.
According to a company spokesperson, the incident has triggered an investigation and coordinated response. Public chatter about a massive 1.5 TB trove of data has been addressed: those numbers are inaccurate and tied to an extortion attempt, and Discord says it has no intention of rewarding unlawful behavior.
What happened and how the breach occurred
The attack targeted an external provider used by Discord for customer support, including teams focused on Trust & Safety. That vendor collects images of official IDs—such as passports and driver’s licenses—specifically to validate appeals concerning a user’s age status, a process that occasionally requires document review.
By compromising the vendor, the attacker obtained access to certain records submitted by users seeking help. Discord indicates that its own systems were not directly infiltrated, and that the breach path was through the third-party system rather than Discord’s infrastructure.
What information was exposed
Discord states the exposed data set may include several categories of personal information. The most sensitive element is the presence of ID document photos associated with age verification and related appeals.
- ID document images (for age-verification and appeals)
- Names and Discord usernames
- Email addresses and IP addresses
- Last four digits of payment card numbers
The company adds that passwords and full card numbers were not compromised. As a result, users need not reset their credentials solely due to password exposure, though additional safeguards are still recommended.
Scope of impact
Discord has put the approximate number of impacted accounts at around 70,000 users globally. The figure refers specifically to those whose ID document photos were included in the vendor’s dataset accessed by the attacker.
While the incident is serious, Discord reiterates that there was no direct breach of its primary systems, and the exposure was limited to data processed by the third-party provider for support workflows.
Company response and ongoing actions
A spokesperson confirmed that Discord has contacted all affected users and is continuing to coordinate with law enforcement, data protection authorities, and external security experts. These steps aim to ensure containment, notifications, and compliance with applicable regulations.
Discord says it has secured the affected systems and ended its relationship with the impacted vendor. The company emphasized that it will not provide any payment or benefit to those behind the extortion attempt, underscoring that such claims are both unlawful and misleading.
Addressing misinformation about the breach
Reports circulating on social media alleged that attackers obtained about 1.5 TB of age-verification photos. Discord’s spokesperson countered those claims, noting they are inaccurate and form part of a broader effort to pressure the company.
The clarification was shared to correct the record and reduce unnecessary panic. According to the spokesperson, the verified scope remains approximately 70,000 impacted users, not a multi-terabyte cache.
What affected users can do now
Although passwords and full payment card numbers were not exposed, there are prudent steps users can take to reduce risk. These measures can help address potential fallout from ID photo and contact data exposure.
- Enable multi-factor authentication on your Discord account (if not already active).
- Be extra cautious with messages requesting personal data or payments, even if they reference real details.
- Monitor the email address linked to your account for phishing attempts.
- Review recent activity on your Discord and associated email accounts for anything unusual.
- Consider a credit or identity monitoring service if you shared government ID images.
Staying vigilant against social engineering is key, since attackers may try to weaponize partial personal information to gain further access elsewhere.
Regulatory and legal coordination
Discord has indicated it is collaborating with law enforcement and data protection authorities. This typically involves breach notifications, evidence preservation, and ongoing updates as the investigation progresses.
The company also mentioned working with external security experts to validate containment and support a thorough review of the vendor’s security posture.
Why a vendor breach matters
Third-party providers often handle sensitive workflows, such as age verification, making them an attractive target. Even when a platform’s core systems remain intact, attackers can still access high-value personal data via vendors that process user submissions.
This incident underscores the importance of strong vendor management, including security controls, audits, and incident response built into contracts and ongoing operations.
Discord’s latest update paints a clearer picture: a third-party support vendor breach affected roughly 70,000 users’ ID photos and some related personal details, but not passwords or full card numbers. The firm has notified impacted users, cut ties with the vendor, secured affected systems, and is working with authorities while dismissing exaggerated claims tied to alleged extortion.
