On September 20, 2025, Discord suffered a data breach via its third-party vendor 5CA, which handled customer service and age verification appeals. The attack, attributed to groups like Scattered Spider, LAPSUS$, and ShinyHunters, lasted 58 hours and exposed sensitive data of ~70,000 users globally. Compromised information included government-issued IDs (passports, driver’s licenses), full names, emails, usernames, contact details, limited billing data (last four digits of cards, payment history), IP addresses, customer support messages, and internal training documents. While full credit card numbers, CVV codes, passwords, and private messages remained secure, hackers demanded a ransom (initially $5M, later reduced to $3.5M), which Discord refused to pay. The breach highlights risks tied to mandatory age verification laws, as the stolen IDs and personal data could enable identity theft or fraud. Discord terminated 5CA’s access, launched an investigation, and notified affected users, but the incident underscores vulnerabilities in third-party handling of sensitive user data.
TPRM report: https://www.rankiteo.com/company/5ca
"id": "5ca4692346101025",
"linkid": "5ca",
"type": "Breach",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '70,000',
'industry': ['social media', 'gaming communication'],
'location': 'Global (HQ: San Francisco, USA)',
'name': 'Discord',
'type': 'technology company'},
{'industry': ['customer service', 'age verification'],
'name': '5CA',
'type': 'third-party vendor'}],
'attack_vector': ['third-party vendor compromise (5CA)',
'credential theft/exploitation'],
'customer_advisories': ['Emails sent to affected users from '
'noreply@discord.com with breach details and next '
'steps.'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['ID scans/images',
'text logs (support messages)',
'documents (training materials)'],
'number_of_records_exposed': '70,000',
'personally_identifiable_information': True,
'sensitivity_of_data': 'high (PII, government IDs)',
'type_of_data_compromised': ['government-issued IDs '
'(passports, driver’s licenses)',
'emails',
'full names',
'usernames',
'contact details',
'limited billing data (last four '
'digits of card numbers, payment '
'types, purchase history)',
'IP addresses',
'customer support messages',
'internal training '
'documentation']},
'date_detected': '2025-09-20',
'date_publicly_disclosed': '2025-10-02',
'description': 'Discord experienced a significant data breach on September '
'20, 2025, when its third-party customer service and age '
'verification provider, 5CA, was compromised. The breach '
'lasted 58 hours and was attributed to threat groups Scattered '
'Spider, LAPSUS$, and ShinyHunters. Approximately 70,000 users '
'worldwide were affected, with hackers exfiltrating '
'government-issued IDs (e.g., passports, driver’s licenses), '
'emails, full names, usernames, contact details, limited '
'billing data (last four digits of card numbers, payment '
'history), IP addresses, customer support messages, and '
'internal training documentation. Hackers initially demanded a '
'$5 million ransom, later reduced to $3.5 million, which '
'Discord refused to pay. The incident highlights '
'vulnerabilities in mandatory age verification systems, '
'particularly under regulations like the UK’s Online Safety '
'Act (effective July 2025).',
'impact': {'brand_reputation_impact': ['negative publicity',
'concerns over age verification '
'security',
'user distrust in mandatory ID checks'],
'data_compromised': True,
'downtime': '58 hours (breach duration)',
'identity_theft_risk': ['high (government-issued IDs exposed)'],
'operational_impact': ['revoked 5CA access',
'internal investigation launched',
'user notifications sent'],
'payment_information_risk': ['low (only last four digits of card '
'numbers exposed)'],
'systems_affected': ['5CA customer service systems',
'age verification appeals database']},
'initial_access_broker': {'data_sold_on_dark_web': ['threatened (not yet '
'confirmed as of October '
'10, 2025)'],
'entry_point': '5CA systems (third-party vendor)',
'high_value_targets': ['age verification appeals '
'database',
'government-issued IDs']},
'investigation_status': 'ongoing (as of October 10, 2025)',
'lessons_learned': ['Third-party vendors introduce significant risk, '
'especially for sensitive processes like age '
'verification.',
'Mandatory age verification systems create centralized '
'targets for attackers, increasing exposure of '
'government-issued IDs.',
'Ransomware negotiations can prolong incident resolution '
'without guaranteeing data safety.',
'Proactive user communication and transparency are '
'critical during breaches involving PII.'],
'motivation': ['financial gain (ransom)', 'data theft for dark web sale'],
'post_incident_analysis': {'corrective_actions': ['Terminated 5CA’s access to '
'Discord systems.',
'Launched internal '
'investigation with law '
'enforcement support.',
'Reviewing age verification '
'processes and third-party '
'vendor security '
'standards.'],
'root_causes': ['Inadequate security controls at '
'third-party vendor (5CA).',
'Centralized storage of sensitive '
'PII (government IDs) for age '
'verification.',
'Delayed public disclosure (12 '
'days between detection and '
'announcement).']},
'ransomware': {'data_exfiltration': True,
'ransom_demanded': '$5 million (initial), reduced to $3.5 '
'million'},
'recommendations': ['Enhance third-party vendor security assessments, '
'including penetration testing and access controls.',
'Implement multi-layered authentication for systems '
'handling government-issued IDs.',
'Advocate for decentralized or privacy-preserving age '
'verification methods to reduce data concentration risks.',
'Establish clear protocols for ransomware incidents, '
'including pre-approved legal and PR response plans.',
'Monitor dark web for exposed data and offer identity '
'protection services to affected users.'],
'references': [{'source': 'BBC'}, {'source': 'Windows Central'}],
'regulatory_compliance': {'regulations_violated': ['potential violations of '
'GDPR (EU)',
'UK Online Safety Act '
'(2025)'],
'regulatory_notifications': ['authorities notified '
'(unspecified)']},
'response': {'communication_strategy': ['public statement (October 2, 2025)',
'email notifications to affected '
'users'],
'containment_measures': ['revoked 5CA’s system access'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'remediation_measures': ['internal investigation',
'user notifications (email from '
'noreply@discord.com)'],
'third_party_assistance': ['law enforcement']},
'stakeholder_advisories': ['Law enforcement collaboration in progress'],
'threat_actor': ['Scattered Spider', 'LAPSUS$', 'ShinyHunters'],
'title': 'Discord Data Breach via Third-Party Provider 5CA (Age Verification)',
'type': ['data breach', 'third-party compromise', 'ransomware attempt']}