Discord has confirmed a significant data breach involving a third-party customer service provider, resulting in the exposure of sensitive government-issued photo identification for approximately 70,000 users.
The company disclosed the incident last week, noting that the breach did not involve a direct attack on its core systems. Instead, hackers successfully compromised an unnamed external vendor responsible for handling customer support and Trust & Safety functions.
The most critical data exposed belongs to users who had communicated with the support teams, particularly those who submitted documents for age-related appeals. Discord stated that these users may have had photos of their government-issued IDs, such as driver’s licenses or passports, exposed.
The volume of the compromise is under dispute. Discord identified about 70,000 users globally who may have had their ID photos accessed. However, the hackers behind the incident have claimed to have stolen a far greater volume of data, including up to 1.5 terabytes of age verification-related photos. Discord has dismissed these larger numbers as “incorrect” and part of the extortion attempt.
In addition to the sensitive photo IDs, the unauthorized party gained access to a wide range of personal information shared with customer service agents, including real names, email addresses, IP addresses, limited billing information, and internal corporate data.
Discord confirmed that full credit card numbers, CCV codes, and user passwords were not impacted by the breach. User messages and activity outside of customer support conversations were also unaffected.
Third-Party Risk Highlights a Systemic Flaw
The incident is a reminder of the escalating risks associated with third-party vendors. A company’s overall security posture is only as strong as its weakest link in the supply chain. In this case, a customer support platform, which often retains sensitive data to manage user appeals, became the primary target.
Following the discovery of the breach, a Discord spokesperson confirmed that the company took immediate action, stating, “We’ve secured the affected systems and ended work with the compromised vendor.” But the deed has been done, and what could possibly go wrong?
Discord has notified all users whose data may have been impacted and is working with law enforcement, cybersecurity experts, and data protection authorities to manage the aftermath of the incident. The company maintains that it will not reward the perpetrators for their illegal actions. Affected users are advised to be highly vigilant for suspicious communications, as the stolen personal data could be used in phishing or identity fraud attempts.
Written by Clement Saudu
 | PIVX: Your Rights. Your Privacy. Your Choice |