The popular communication platform Discord is facing an extortion attempt following a significant data breach at one of its third-party customer service providers, Zendesk.
Threat actors claim to have stolen 1.5 terabytes of sensitive data, including over 2.1 million government-issued identification photos used for age verification.
While Discord confirms the breach, it disputes the scale of the incident, stating that approximately 70,000 users had their ID photos exposed.
The breach, which occurred on September 20, 2025, did not compromise Discord’s own servers but instead targeted its customer support systems managed by the third-party vendor.
The attackers reportedly gained access for 58 hours by compromising the account of a support agent employed by an outsourced business process provider.
A notorious cybercrime group known as Scattered Lapsus$ Hunters (SLH) has claimed responsibility, taunting the company publicly while attempting to secure a ransom.
The compromised information is extensive and primarily affects users who interacted with Discord’s Customer Support or Trust & Safety teams.
The stolen data includes names, Discord usernames, email addresses, and limited billing details such as payment type and the last four digits of credit card numbers. Additionally, messages exchanged with customer service agents and user IP addresses were exposed.
The most alarming aspect of the breach is the theft of government-ID images, such as driver’s licenses and passports, which were submitted by users to appeal age-related account restrictions.
The attackers claim to possess 2,185,151 of these photos, a figure Discord has labeled as “inaccurate” and part of the extortion effort. The hackers allege the data haul affects 5.5 million unique users across 8.4 million support tickets.
In contrast, Discord maintains that its investigation has identified around 70,000 affected users globally whose IDs may have been exposed.
Discord has stated it will not pay the ransom demanded by the cybercriminals. Upon discovering the incident, the company immediately revoked the compromised vendor’s access to its ticketing system and terminated its partnership with them.
Discord has launched an internal investigation, engaged a leading computer forensics firm, and is collaborating with law enforcement and data protection authorities to address the attack.
The company is in the process of notifying all affected users via email from the address [email protected] and has warned users that it will not contact them through any other channel regarding this matter.
The notification email will specify if a user’s government ID was part of the compromised data. Discord has assured its community that the breach did not expose full credit card numbers, passwords, or private messages and activity outside of customer support interactions.
This incident highlights the growing threat of supply chain attacks, where attackers target less secure third-party partners to access the data of larger organizations.
The incident is ongoing, and the full impact will depend on whether the threat actors follow through on their threat to release the stolen data.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
