Breach cyber

Discord

Jul 1, 2025 3 min read
Discord

Discord confirmed a security breach via a third-party customer support vendor (reportedly Zendesk), where an attacker compromised the support agent’s ticket queue, exposing sensitive user data. The stolen information includes names, Discord usernames, email addresses, contact details, support messages, partial billing data (last four digits of credit cards), and government-issued ID images (e.g., driver’s licenses, passports) submitted for age verification. The attacker, linked to the Scattered Lapsus$ Hunters group, demanded a ransom and threatened further leaks via their Data Leak Site (DLS). While Discord’s core systems remained unbreached, the incident heightens risks of identity theft, phishing, and financial fraud for affected users. The company revoked vendor access, launched forensics investigations, and cooperated with law enforcement but withheld key details like the breach duration, vendor name, and total impacted users. Previous attacks (e.g., Epsilon Red ransomware in July 2025) underscore Discord’s recurring vulnerabilities in third-party and platform security.

Source: https://hackread.com/discord-data-breach-hackers-ids-billing-support-chats/

TPRM report: https://www.rankiteo.com/company/discord

"id": "dis3792037100425",
"linkid": "discord",
"type": "Breach",
"date": "7/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Limited number of users who '
                                              'contacted Customer Support or '
                                              'Trust & Safety teams (exact '
                                              'count undisclosed)',
                        'industry': ['Social Media',
                                     'Gaming',
                                     'Communication Platforms'],
                        'location': 'San Francisco, California, USA',
                        'name': 'Discord Inc.',
                        'type': 'Technology Company'},
                       {'industry': 'Customer Support Software',
                        'name': 'Zendesk (alleged)',
                        'type': 'Third-Party Customer Service Provider'}],
 'attack_vector': ['Third-Party Vendor Exploitation (Zendesk)',
                   'Unauthorized Access to Support Ticket Queue'],
 'customer_advisories': ['Email notifications sent to affected users',
                         'Guidance on identifying legitimate communications'],
 'data_breach': {'data_exfiltration': True,
                 'file_types_exposed': ['Text (support tickets)',
                                        'Images (ID scans)'],
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': ['High (PII, government IDs, financial '
                                         'partials)'],
                 'type_of_data_compromised': ['Names',
                                              'Discord usernames',
                                              'Email addresses',
                                              'Contact details',
                                              'Customer support messages',
                                              'Partial billing details '
                                              '(payment method, last four '
                                              'digits of credit card)',
                                              'Government-issued ID images '
                                              '(driver’s licenses, '
                                              'passports)']},
 'date_publicly_disclosed': '2025-10-03',
 'description': 'Discord confirmed a security incident involving a third-party '
                'customer service provider (allegedly Zendesk), resulting in '
                'the exposure of personal information for users who had '
                'recently contacted Discord’s Customer Support or Trust & '
                "Safety teams. The attacker, identified as 'Scattered Lapsus$ "
                "Hunters,' gained unauthorized access to the support agent’s "
                'ticket queue, stealing sensitive data including names, email '
                'addresses, partial billing details, and government-issued ID '
                'images. The primary motivation appears to be financial '
                'extortion, with the group threatening to leak additional data '
                'on their Data Leak Site (DLS).',
 'impact': {'brand_reputation_impact': ['Erosion of user trust',
                                        'Media scrutiny over third-party '
                                        'security',
                                        'Pattern of recurring cybersecurity '
                                        'incidents'],
            'customer_complaints': ['Concerns over phishing risks',
                                    'Verification of breach notification '
                                    'emails'],
            'data_compromised': True,
            'identity_theft_risk': ['High (due to exposure of '
                                    'government-issued IDs, PII, and partial '
                                    'payment details)'],
            'legal_liabilities': ['Potential regulatory fines',
                                  'Data protection authority notifications'],
            'operational_impact': ['Revoked vendor access',
                                   'Internal investigation',
                                   'Forensic analysis',
                                   'Law enforcement cooperation'],
            'payment_information_risk': ['Limited (last four digits of credit '
                                         'cards, payment methods)'],
            'systems_affected': ['Third-Party Customer Service Provider '
                                 '(Zendesk) Ticketing System']},
 'initial_access_broker': {'data_sold_on_dark_web': ['Threatened via Data Leak '
                                                     'Site (DLS)'],
                           'entry_point': 'Third-party customer service '
                                          'provider (Zendesk ticketing system)',
                           'high_value_targets': ['Support ticket queue',
                                                  'Government-issued ID images',
                                                  'Billing partials']},
 'investigation_status': 'Ongoing (internal investigation with forensic firm '
                         'assistance)',
 'motivation': ['Financial Extortion',
                'Data Theft for Resale',
                'Reputation Damage'],
 'post_incident_analysis': {'root_causes': ['Third-party vendor security '
                                            'vulnerabilities',
                                            'Insufficient access controls for '
                                            'sensitive support data']},
 'ransomware': {'data_exfiltration': True, 'ransom_demanded': True},
 'recommendations': ['Enhance third-party vendor security assessments',
                     'Implement stricter access controls for support systems',
                     'Monitor for phishing attempts targeting affected users',
                     'Review identity verification processes to minimize data '
                     'exposure'],
 'references': [{'date_accessed': '2025-10-03',
                 'source': 'Discord Official Statement'},
                {'source': 'Reddit (User Discussions on Breach Notifications)'},
                {'source': 'Hackread.com (Scattered Lapsus$ Hunters’ Data Leak '
                           'Site Coverage)'},
                {'source': 'Telegram (Hacker Group’s Screenshots and Claims)'}],
 'regulatory_compliance': {'regulatory_notifications': ['Relevant data '
                                                        'protection '
                                                        'authorities '
                                                        'notified']},
 'response': {'communication_strategy': ['Official email notifications to '
                                         'affected users (from '
                                         '@emails.discord.com)',
                                         'Public statement on October 3, 2025',
                                         'Advisories on phishing risks'],
              'containment_measures': ['Revoked third-party vendor’s access to '
                                       'ticketing system'],
              'incident_response_plan_activated': True,
              'law_enforcement_notified': True,
              'remediation_measures': ['Internal investigation',
                                       'Forensic analysis'],
              'third_party_assistance': ['Leading computer forensics firm']},
 'stakeholder_advisories': ['Users advised to verify breach notifications via '
                            'official @emails.discord.com address',
                            'Warning against phishing attempts'],
 'threat_actor': ['Scattered Lapsus$ Hunters (coalition of Scattered Spider, '
                  'Lapsus$, ShinyHunters)'],
 'title': 'Discord Third-Party Customer Service Data Breach (2025)',
 'type': ['Data Breach',
          'Third-Party Vendor Compromise',
          'Identity Theft Risk']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.