Discord experienced a significant data breach via a third-party vendor, 5CA, a customer service provider. The breach exposed sensitive data of over 70,000 users, including names, emails, Discord usernames, IP addresses, customer support interactions, and government ID images used for age verification. The hacking group Scattered Lapsus$ Hunters (SLH) claimed responsibility, breaching 5CA’s support ticket environment and stealing 1.6 terabytes of data, including internal dashboards and payment information. While 5CA denied direct involvement, Discord confirmed the vendor was the initial attack vector. The breach poses severe risks, including identity theft, fraud, and phishing attacks, as criminals may exploit leaked government IDs and personal details. Users were advised to enable Multi-Factor Authentication (MFA), monitor credit reports, and remain vigilant against phishing attempts. The incident highlights vulnerabilities in supply-chain security, where third-party breaches can have cascading effects on primary organizations and their users.
Source: https://www.bitdefender.com/en-gb/blog/hotforsecurity/discord-data-breach-5ca-leak-70000-ids
TPRM report: https://www.rankiteo.com/company/discord
"id": "dis4802248110325",
"linkid": "discord",
"type": "Breach",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '70,000+ (Users with Government '
'ID Verification)',
'industry': 'Communication/Software',
'location': 'Global (HQ: San Francisco, USA)',
'name': 'Discord',
'type': 'Technology Company'},
{'industry': 'Customer Experience/Outsourcing',
'location': 'Netherlands',
'name': '5CA',
'type': 'Third-Party Vendor'}],
'attack_vector': ['Third-Party Vendor Compromise',
'Support Ticket System Exploitation'],
'customer_advisories': ['Discord will never call users about security issues; '
'all official messages come from @email.discord.com.',
'Avoid sharing personal information in response to '
'unsolicited messages.',
'Report suspicious activity to Discord’s Trust & '
'Safety team.',
'Check credit/identity reports for signs of fraud.'],
'data_breach': {'data_exfiltration': 'Yes (1.6 TB of Data)',
'file_types_exposed': ['Images (IDs)',
'Text (Support Tickets)',
'Databases (Internal Dashboards)'],
'number_of_records_exposed': '70,000+ (Government IDs) + '
'Undisclosed (Other Data)',
'personally_identifiable_information': ['Names',
'Emails',
'Usernames',
'IP Addresses',
'Government ID '
'Images'],
'sensitivity_of_data': 'High (Includes Government-Issued IDs '
'and Payment Data)',
'type_of_data_compromised': ['PII',
'Government IDs',
'Payment Information',
'Support Tickets',
'Internal Dashboards']},
'date_publicly_disclosed': '2025-10-03',
'description': 'An unauthorized party (Scattered Lapsus$ Hunters) gained '
"access to Discord's third-party customer service provider, "
'5CA, exposing data of over 70,000 users, including government '
'ID images used for age verification. While Discord attributes '
'the breach to 5CA, the vendor denies responsibility, citing '
'no evidence of compromise in their systems and claiming the '
'incident may have stemmed from human error outside their '
'infrastructure. The attackers exfiltrated 1.6 TB of data, '
'including support tickets, internal dashboards, payment '
'information, and user PII.',
'impact': {'brand_reputation_impact': 'High (Associated with Third-Party '
'Vendor Dispute and Sensitive Data '
'Exposure)',
'data_compromised': ['Names',
'Emails',
'Discord Usernames',
'IP Addresses',
'Customer Support Interactions',
'Government ID Images (~70,000 users)',
'Payment Information',
'Internal Dashboards'],
'identity_theft_risk': 'High (Due to Government ID Exposure)',
'operational_impact': ['User Trust Erosion',
'Increased Phishing Risks',
'Identity Theft Risks'],
'payment_information_risk': 'Moderate (Partial Payment Data '
'Accessed)',
'systems_affected': ['5CA Support Ticket Environment',
'Discord Customer Support/Trust & Safety '
'Systems (indirectly)']},
'initial_access_broker': {'data_sold_on_dark_web': 'Likely (1.6 TB '
'Exfiltrated; SLH '
'Extortion Claims)',
'entry_point': '5CA Support Ticket Environment',
'high_value_targets': ['Government ID Images',
'Payment Information',
'Internal Dashboards']},
'investigation_status': 'Ongoing (Dispute Between Discord and 5CA; Human '
'Error Alleged)',
'lessons_learned': ['Third-party vendor risks in supply-chain attacks require '
'stricter oversight and contractual security obligations.',
'Human error remains a critical vulnerability even in '
'secured systems.',
'Proactive user education (e.g., MFA, phishing awareness) '
'is essential post-breach.',
'Dark web monitoring tools can mitigate long-term '
'identity theft risks.'],
'motivation': ['Data Theft', 'Extortion', 'Financial Gain'],
'post_incident_analysis': {'root_causes': ['Third-party vendor (5CA) '
'compromise or human error outside '
'5CA’s systems (disputed).',
'Inadequate segmentation between '
'Discord and vendor environments.',
'Over-reliance on government IDs '
'for age verification without '
'robust protection.']},
'ransomware': {'data_encryption': 'No (Data Exfiltration Only)',
'data_exfiltration': 'Yes (1.6 TB)',
'ransom_demanded': 'Yes (Extortion Attempt by SLH)'},
'recommendations': ['Conduct third-party security audits with focus on data '
'handling practices.',
'Implement zero-trust architectures for vendor access to '
'sensitive systems.',
'Enhance user verification processes to reduce reliance '
'on government ID storage.',
'Deploy automated dark web monitoring for exposed user '
'data.',
'Establish clear incident response protocols for '
'supply-chain compromises.'],
'references': [{'source': 'Discord Official Statement (Oct 3, 2025)'},
{'source': 'Discord Updated Statement (Oct 9, 2025)'},
{'source': '5CA Denial Statement'},
{'source': 'Bitdefender Advisory on Dark Web Monitoring'}],
'response': {'communication_strategy': ['Official Statements (Oct 3 & Oct 9, '
'2025)',
'FAQ Updates',
'User Security Advisories'],
'incident_response_plan_activated': 'Yes (Discord Issued Public '
'Statements and User '
'Advisories)',
'remediation_measures': ['Public Disclosure',
'User Guidance on MFA/Phishing',
'Dark Web Monitoring Recommendations']},
'stakeholder_advisories': ['Enable Multi-Factor Authentication (MFA).',
'Monitor for phishing attempts exploiting breached '
'data.',
'Use identity-monitoring tools (e.g., Bitdefender '
'Digital Identity Protection).',
'Verify official communications via '
'@email.discord.com only.'],
'threat_actor': 'Scattered Lapsus$ Hunters (SLH)',
'title': 'Discord Data Breach via Third-Party Vendor (5CA)',
'type': ['Data Breach', 'Supply-Chain Attack', 'Extortion']}