Discord disclosed a security incident where an unauthorized party compromised one of its third-party customer service providers.
Summary
- The incident highlights the growing security risks posed by third-party service providers, even for major platforms with strong internal safeguards.
- While Discord’s core systems remain unaffected, the exposure of user data—including contact details, limited billing information, and ID images—underscores how support-related vulnerabilities can still lead to serious privacy concerns and potential phishing threats.
The hackers gained access to personal information from users who had contacted customer support or trust and safety teams.
The breach did not directly compromise Discord’s systems, and no messages or activities were accessed beyond what users discussed with support agents.
The company immediately revoked the compromised provider’s access to its ticketing system and launched an investigation with a computer forensics firm and law enforcement.
Discord is notifying affected users via email and warning that official communications will not come via phone calls.
Breach scope includes IDs, payment data, and support messages
The unauthorized party targeted Discord’s third-party customer support services to access user data with the intention of extorting a financial ransom from the company.
The compromised information includes names, Discord usernames, emails, contact details provided to customer support, and IP addresses.
Limited billing information was also exposed, including payment type, the last four digits of credit cards, and purchase history for accounts associated with support tickets.
Messages exchanged with customer service agents were accessible to the attackers, along with limited corporate data such as training materials and internal presentations.
A small number of government-issued ID images from users who appealed age determinations may have been accessed, including driver’s licenses and passports. Discord is specifying in individual notification emails whether a user’s ID was potentially compromised.
Full credit card numbers, CCV codes, passwords, and authentication data were not involved in the breach.
Messages or activity on Discord beyond customer support interactions remained secure and were not accessed by the unauthorized party.
Discord notifies authorities
Discord has notified relevant data protection authorities and proactively engaged with law enforcement to investigate the attack.
The company is reviewing its threat detection systems and security controls for third-party support providers to prevent similar incidents.
The platform plans to continue frequent audits of third-party systems to verify they meet security and privacy standards.
The company recommends impacted users remain alert for suspicious messages or communications that could represent phishing attempts exploiting the compromised information.
Users should verify that any Discord communications come from official channels and avoid clicking links in unexpected messages.
