Discord faced a major extortion attempt after cybercriminals breached its third-party customer service provider, Zendesk, compromising sensitive user data including 2.1 million government-issued ID photos (driver’s licenses, passports) used for age verification. The attack, attributed to the Scattered Lapsus$ Hunters (SLH) group, exploited a compromised support agent account, granting unauthorized access for 58 hours. Stolen data also included usernames, email addresses, partial billing details (last four digits of credit cards), IP addresses, and customer service message logs. While attackers claimed 1.5TB of data (affecting 5.5M users), Discord disputed the scale, confirming ~70,000 users had ID photos exposed. The company refused ransom demands, terminated the vendor relationship, and launched forensic investigations with law enforcement. The breach underscores supply chain risks and the dangers of storing sensitive verification documents with third parties. The threat of public data leaks remains active, with potential long-term repercussions for affected users, including identity theft and fraud.
Source: https://gbhackers.com/discord-data-breach-exposes-1-5-tb-of-data/
TPRM report: https://www.rankiteo.com/company/zyper.
"id": "zyp2832128100925",
"linkid": "zyper.",
"type": "Breach",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '~70,000 (Confirmed); Threat '
'Actors Claim 5.5M Users Across '
'8.4M Support Tickets',
'industry': 'Communication Platforms / Social Media',
'location': 'San Francisco, California, USA',
'name': 'Discord Inc.',
'size': 'Large (150M+ Monthly Active Users)',
'type': 'Technology Company'},
{'industry': 'SaaS / Business Process Outsourcing',
'location': 'Global (HQ: San Francisco, California, '
'USA)',
'name': 'Zendesk (Third-Party Vendor)',
'type': 'Customer Service Software Provider'},
{'industry': 'Customer Support Services',
'name': 'Outsourced Business Process Provider '
'(Unnamed)',
'type': 'Business Process Outsourcing (BPO)'}],
'attack_vector': ['Compromised Third-Party Vendor (Zendesk)',
'Credential Theft (Support Agent Account)',
'Unauthorized Access'],
'customer_advisories': ['Affected users advised to monitor for identity theft '
'and phishing attempts.',
'Recommendations to enable two-factor authentication '
'(2FA) on Discord accounts.',
'Guidance on reporting suspicious activity to '
'Discord’s Trust & Safety team.'],
'data_breach': {'data_exfiltration': 'Yes (1.5TB of Data Claimed by Threat '
'Actors)',
'file_types_exposed': ['Image Files (JPEG/PNG of IDs)',
'Text-Based Support Tickets',
'CSV/Database Exports'],
'number_of_records_exposed': {'claimed_by_threat_actor': '2,185,151 '
'ID '
'photos; '
'5.5M '
'users '
'across '
'8.4M '
'support '
'tickets',
'confirmed': '70,000 users (ID '
'photos)'},
'personally_identifiable_information': ['Full Names',
'Discord Usernames',
'Email Addresses',
'IP Addresses',
'Partial Credit Card '
'Numbers (Last 4 '
'Digits)'],
'sensitivity_of_data': 'High (Government IDs, PII, Billing '
'Info)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Government-Issued '
'Identification Documents',
'Financial Data (Partial)',
'Support Interaction Records']},
'date_detected': '2025-09-20',
'date_publicly_disclosed': '2025-10-08',
'description': 'The popular communication platform Discord faced a major '
'extortion attempt after cybercriminals breached one of its '
'third-party customer service providers (Zendesk), '
'compromising sensitive user data, including government '
'identification photos used for age verification. The breach '
'was carried out by the Scattered Lapsus$ Hunters (SLH) group, '
'who demanded ransom and claimed to have exfiltrated 1.5TB of '
'data, including 2.1 million+ government-issued ID photos. '
'Discord disputed these figures, confirming ~70,000 users were '
'affected. The incident highlights supply chain attack risks '
'and vulnerabilities in outsourced customer service '
'operations.',
'impact': {'brand_reputation_impact': ['High (Sensitive Data Exposure)',
'Loss of User Trust',
'Media Scrutiny'],
'data_compromised': ['Government-Issued ID Photos (Driver’s '
'Licenses, Passports)',
'User Names',
'Discord Usernames',
'Email Addresses',
'Billing Information (Payment Methods, Last 4 '
'Digits of Credit Cards)',
'Customer Service Message Exchanges',
'User IP Addresses',
'Support Ticket Data (8.4M tickets)'],
'identity_theft_risk': ['High (Exposed Government IDs)',
'Phishing/Social Engineering Risks'],
'legal_liabilities': ['Potential Regulatory Fines (GDPR, CCPA, '
'etc.)',
'Class-Action Lawsuits (Pending)'],
'operational_impact': ['Termination of Third-Party Vendor '
'Partnership',
'Revocation of All Vendor Access to '
'Ticketing Systems',
'Internal Investigation and Forensic '
'Analysis',
'Collaboration with Law Enforcement and '
'Data Protection Authorities'],
'payment_information_risk': ['Limited (Last 4 Digits of Credit '
'Cards Only)'],
'systems_affected': ['Zendesk Customer Support Platform',
'Discord Trust & Safety Ticketing Systems']},
'initial_access_broker': {'data_sold_on_dark_web': ['Threatened (Not Yet '
'Confirmed)'],
'entry_point': 'Compromised Support Agent Account '
'(Outsourced BPO Provider)',
'high_value_targets': ['Discord Trust & Safety '
'Ticketing Systems',
'Zendesk Customer Support '
'Platform']},
'investigation_status': 'Ongoing (Collaboration with Forensics Firm and Law '
'Enforcement)',
'lessons_learned': ['Supply chain attacks pose significant risks when '
'third-party vendors have access to sensitive data.',
'Outsourced customer support operations require stricter '
'access controls and monitoring.',
'Storing government-issued IDs for age verification '
'introduces high-risk exposure if breached.',
'Proactive threat intelligence and vendor risk '
'assessments are critical.'],
'motivation': ['Financial Gain (Ransom Extortion)',
'Data Theft for Dark Web Sale',
'Reputational Damage'],
'post_incident_analysis': {'corrective_actions': ['Terminated partnership '
'with compromised vendor.',
'Revoked all third-party '
'access to ticketing '
'systems.',
'Engaged forensic experts '
'for incident analysis.',
'Enhanced access controls '
'and monitoring for '
'customer support '
'operations.',
'Reviewing data retention '
'policies for verification '
'documents.'],
'root_causes': ['Insufficient security controls '
'for third-party vendor access.',
'Lack of continuous monitoring for '
'outsourced support agents.',
'Over-reliance on third-party '
'platforms (Zendesk) for sensitive '
'data handling.',
'Inadequate segmentation between '
'Discord’s infrastructure and '
'vendor systems.']},
'ransomware': {'data_encryption': 'No (Data Exfiltration Only)',
'data_exfiltration': 'Yes (1.5TB Claimed)',
'ransom_demanded': 'Yes (Amount Undisclosed)',
'ransom_paid': 'No (Discord Refused to Pay)'},
'recommendations': ['Implement Multi-Factor Authentication (MFA) for all '
'third-party vendor access.',
'Conduct regular security audits of outsourced business '
'process providers.',
'Minimize storage of sensitive verification documents '
'(e.g., government IDs).',
'Enhance logging and monitoring for customer support '
'systems.',
'Develop a robust incident response plan for supply chain '
'attacks.',
'Evaluate alternatives to storing high-sensitivity data '
'(e.g., tokenization).'],
'references': [{'date_accessed': '2025-10-08',
'source': 'vx-underground (X/Twitter)',
'url': 'https://twitter.com/vxunderground/status/[redacted]'},
{'date_accessed': '2025-10-08',
'source': 'Discord Official Statement'},
{'date_accessed': '2025-10-08',
'source': 'GBHackers (Cybersecurity News)',
'url': 'https://gbhackers.com/discord-breach-2025'}],
'regulatory_compliance': {'legal_actions': ['Ongoing Investigations by Data '
'Protection Authorities'],
'regulations_violated': ['Potential GDPR (EU)',
'CCPA (California)',
'Other Data Protection '
'Laws'],
'regulatory_notifications': ['Notifications to '
'Relevant Authorities '
'(Confirmed)']},
'response': {'communication_strategy': ['Public Disclosure via Social Media '
'(X/Twitter)',
'Direct Email Notifications to '
'Affected Users',
'Media Statements Disputing Threat '
'Actor Claims'],
'containment_measures': ['Revoked All Vendor Access to Ticketing '
'Systems',
'Isolated Affected Systems'],
'enhanced_monitoring': ['Increased Monitoring of Customer '
'Support Systems'],
'incident_response_plan_activated': 'Yes (Immediate Termination '
'of Vendor Partnership)',
'law_enforcement_notified': 'Yes (Collaboration with Law '
'Enforcement and Data Protection '
'Authorities)',
'remediation_measures': ['Internal Investigation',
'Forensic Analysis of Compromised '
'Systems',
'User Notifications (Email Alerts for '
'Affected Individuals)'],
'third_party_assistance': ['Leading Computer Forensics Firm '
'(Unnamed)']},
'stakeholder_advisories': ['Users with compromised government IDs notified '
'via email.',
'Public updates provided via Discord’s official '
'social media channels.'],
'threat_actor': 'Scattered Lapsus$ Hunters (SLH)',
'title': 'Discord Third-Party Vendor Breach and Extortion Attempt (2025)',
'type': ['Data Breach', 'Extortion', 'Supply Chain Attack'],
'vulnerability_exploited': ['Weak Third-Party Security Controls',
'Insufficient Access Management',
'Outsourced Business Process Provider '
'Vulnerabilities']}