The popular voice and text platform Discord has confirmed a data breach incident affecting a significant number of its users who had submitted government identification for age verification. Discord, which boasts over 200 million monthly active users, confirmed the breach in an official update on October 3, 2025, which was reported by Hackread.com. This update explained that the compromise did not affect Discord’s main systems.
As per Discord’s latest statement published on October 8, 2025, approximately 70,000 users globally may have had photos of their government-issued IDs exposed in the breach. It is worth noting that this security failure did not happen directly on Discord’s main systems but through one of the platform’s third-party customer service providers. This reliance on external vendors for support operations has become a common point of vulnerability for many companies.
Further probing revealed the attackers, who claimed responsibility, accessed a customer support system, which they alleged was Discord’s Zendesk instance, for about 58 hours beginning on September 20, 2025. They reportedly gained access by compromising an account belonging to a support agent from an outsourced business company used by Discord.
Conflicting Claims and Extortion Attempt
While Discord limits the exposed ID photos to about 70,000 users, primarily those appealing age-related decisions, the attackers are claiming a much larger haul. For your information, VX-underground reported on October 8, 2025, that the hackers claimed to have stolen 1.5TB of age verification-related photos and that 2.1 million Discord users’ driver’s licenses and/or passports might be leaked.
The hackers allege they stole 1.6 TB of data, impacting 5.5 million unique users, by exploiting Zendesk’s internal support application (Zenbar) that allowed them to perform sensitive actions like disabling MFA and retrieving users’ phone numbers, emails, and internal data via API queries.
They claim 521,000 age-verification tickets were involved, suggesting the number of exposed IDs is far greater than the 70,000 confirmed by Discord (These claims remain unverified).
In response, Discord has publicly stated that the attackers are circulating inaccurate information about the breach of the customer service provider as part of an extortion attempt. However, Discord’s statement clarifies the situation and their next steps.
“First, as stated in our blog post, this was not a breach of Discord, but rather a third-party service we use to support our customer service efforts. Second, the numbers being shared are incorrect and part of an attempt to extort a payment from Discord….Third, we will not reward those responsible for their illegal actions.”
Discord
Discord also confirmed that it has informed all affected users worldwide and is working closely with law enforcement agencies, data protection authorities, and external security experts. The company stated that it has secured the impacted systems and ended its relationship with the compromised vendor. It added that protecting users’ personal data remains a top priority and acknowledged the concern the incident may have caused.
Security Steps for Affected Users
The exposed user data, which includes information provided during support requests, may contain real names, usernames, email addresses, contact details, IP addresses, and partial payment information, such as the last four digits of a credit card. Discord has confirmed, however, that no full credit card numbers, passwords, or authentication data were accessed.
Still, all affected users should immediately enable Multi-Factor Authentication (MFA) on their Discord and associated email accounts and remain alert against phishing attempts. Remember that Discord’s official communication comes only from [email protected]. If your government ID was compromised, monitor credit and financial reports for identity theft.
