Discord experienced a security breach via a compromised third-party support vendor, exposing sensitive user data. Approximately 70,000 users had their government-issued ID photos accessed, while broader support-related data including usernames, email addresses, partial billing metadata (last four digits of credit cards), IP addresses, and support conversation transcripts was also exposed. Attackers exploited the breach to extort Discord for ransom, initially demanding $5 million before reducing it to $3.5 million. Though Discord denied the attackers' claims of stealing 1.6 TB of data (affecting ~5.5 million users), the incident highlights vulnerabilities in third-party vendor security. The breach did not compromise full credit card details, passwords, authentication tokens, or private messages beyond support interactions. Discord revoked the vendor’s access, launched an investigation, and notified affected users, but concerns remain over data retention policies and potential phishing risks for exposed users.
Source: https://cyberinsider.com/discord-confirms-70000-government-ids-exposed-in-third-party-breach/
TPRM report: https://www.rankiteo.com/company/discord
"id": "dis5632656100925",
"linkid": "discord",
"type": "Breach",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '~70,000 (government ID '
'exposure); ~5.5 million '
'(disputed by Discord)',
'industry': 'communication/platform',
'location': 'global (HQ: San Francisco, USA)',
'name': 'Discord Inc.',
'size': '150+ million monthly active users',
'type': 'technology company'},
{'industry': 'customer support services',
'name': 'Unnamed Third-Party Support Vendor',
'type': 'business process outsourcing (BPO) firm'}],
'attack_vector': ['compromised third-party vendor account',
'credential theft (support agent account)',
'exploitation of outsourced BPO firm'],
'customer_advisories': ['Enable MFA, watch for phishing, review account '
'activity for suspicious logins.',
'Government ID exposure limited to ~70,000 users '
'involved in age verification appeals.'],
'data_breach': {'data_exfiltration': ['claimed 1.6 TB by attackers (1.5 TB '
'attachments, 100+ GB transcripts)'],
'file_types_exposed': ['image files (IDs)',
'text transcripts',
'metadata (CSV/JSON likely)'],
'number_of_records_exposed': ['~70,000 (government IDs)',
'~5.5 million (disputed by '
'Discord)'],
'personally_identifiable_information': ['usernames',
'email addresses',
'IP addresses',
'phone numbers '
'(claimed)',
'government ID '
'images'],
'sensitivity_of_data': 'high (government IDs, partial payment '
'data)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'government-issued '
'identification images',
'partial payment information',
'support communication records']},
'date_detected': '2025-09-20',
'date_publicly_disclosed': '2025-10-03',
'description': 'Discord disclosed a security breach stemming from a '
'compromised third-party customer support vendor, exposing '
'sensitive user data including government ID photos for '
'~70,000 users. Attackers attempted extortion after accessing '
'support-related data, including usernames, email addresses, '
'partial billing metadata, IP addresses, and support '
"conversation transcripts. Discord denied the attackers' "
'claims of exposing 5.5 million users and 1.6 TB of data, '
'attributing the inflated figures to extortion tactics. The '
"breach did not compromise Discord's core infrastructure, "
'passwords, authentication tokens, or private messages.',
'impact': {'brand_reputation_impact': ['moderate (public dispute over breach '
'scope, extortion threats)'],
'customer_complaints': ['expected increase due to phishing risks '
'and data exposure'],
'data_compromised': ['usernames',
'email addresses',
'last four digits of credit card numbers '
'(limited billing metadata)',
'IP addresses',
'support conversation transcripts',
'government-issued ID images (~70,000 users)',
'support ticket attachments (disputed volume)',
'phone numbers (claimed by attackers)'],
'identity_theft_risk': ['high for ~70,000 users with exposed '
'government IDs'],
'legal_liabilities': ['potential regulatory scrutiny over '
'third-party vendor oversight and data '
'retention'],
'operational_impact': ['revoked vendor access to support ticketing '
'system',
'internal investigation launched',
'user notifications sent'],
'payment_information_risk': ['low (only last four digits of credit '
'cards exposed; no full numbers or '
'CVV codes)'],
'systems_affected': ['third-party Zendesk support instance',
'Zenbar internal support tool (claimed by '
'attackers)']},
'initial_access_broker': {'backdoors_established': ['claimed access to Zenbar '
'internal tool '
'(disputed)'],
'data_sold_on_dark_web': ['threatened leak if '
'ransom unpaid (status '
'unknown)'],
'entry_point': 'compromised support agent account '
'at third-party BPO firm',
'high_value_targets': ['support ticket attachments '
'(1.5 TB claimed)',
'payment-related data '
'(~580,000 entries '
'claimed)']},
'investigation_status': 'ongoing (internal investigation with digital '
'forensics firm)',
'lessons_learned': ['Third-party vendor risks require stricter access '
'controls and monitoring.',
'Data retention policies for sensitive documents (e.g., '
'government IDs) need review.',
'Extortion attempts may involve exaggerated claims to '
'pressure victims.'],
'motivation': 'financial gain (ransom extortion)',
'post_incident_analysis': {'corrective_actions': ['Vendor access revoked and '
'likely terminated.',
'Digital forensics '
'investigation underway.',
'User notifications and '
'phishing warnings issued.'],
'root_causes': ['Insufficient security controls at '
'third-party vendor.',
'Over-reliance on outsourced '
'support without adequate '
'oversight.',
'Lack of timely data purging '
'(retained government IDs '
'post-verification).']},
'ransomware': {'data_exfiltration': True,
'ransom_demanded': ['$5 million (initial)',
'$3.5 million (reduced)']},
'recommendations': ['Users: Enable MFA, monitor for phishing, review account '
'activity.',
'Discord: Enhance third-party vendor security audits, '
'implement stricter data retention limits, improve '
'segmentation between core systems and support tools.',
'Industry: Adopt zero-trust principles for third-party '
'integrations, especially in support chains.'],
'references': [{'source': 'BleepingComputer'},
{'source': 'Discord Official Statements (Oct 3, Oct 8, 2025)'}],
'regulatory_compliance': {'regulatory_notifications': ['likely (not '
'explicitly stated)']},
'response': {'communication_strategy': ['public statements (Oct 3, Oct 8 '
'updates)',
'direct user notifications',
'media engagement to dispute attacker '
'claims'],
'containment_measures': ['revoked vendor access to support '
'ticketing system'],
'enhanced_monitoring': ['likely (not explicitly stated)'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'remediation_measures': ['internal investigation',
'user notifications via email '
'([email protected])'],
'third_party_assistance': ['leading digital forensics firm']},
'stakeholder_advisories': ['Users notified via email; public statements '
'issued'],
'threat_actor': ['unknown (extortion-focused group)',
'claimed access via compromised Zendesk support instance'],
'title': 'Discord Third-Party Support Vendor Data Breach',
'type': ['data breach', 'extortion attempt', 'third-party compromise'],
'vulnerability_exploited': ['weak access controls at third-party vendor',
'inadequate segmentation between Discord and '
'vendor systems',
'improper data retention practices (government '
'IDs)']}