Discord has announced a recent security incident revealing that an unauthorized party successfully breached one of its external customer service providers. The platform described the breach as “limited,” which allowed access to sensitive personal data, including government ID images, raising serious privacy concerns.
According to an official statement from Discord, the incident was discovered in recent days, with attackers targeting external support services for extortion and ransom purposes. The company confirmed that the attackers did not gain direct access to Discord’s main servers and could not access messages or activities beyond interactions with support agents.
Access to Personal Data and ID Images
Discord clarified that the affected data includes limited information linked to its customer service system, such as:
- Names, Discord usernames, email addresses, and other contact details.
- Partial billing information, including payment type, the last four digits of credit cards, and purchase history.
- IP addresses.
- Messages exchanged with support agents.
- Limited company data such as training materials and internal presentations.
The company also highlighted that the breach included a “small number of government ID images (such as driver’s licenses or passports) from users who appealed age verification decisions.”
Affected users will receive an email notification from [email protected], indicating whether their ID images were accessed. On the other hand, Discord confirmed that unaffected data includes complete credit card numbers, CVV codes, passwords, and authentication information, as well as public messages and activities on the platform.
Immediate Response and Investigations
Upon discovering the attack, Discord took emergency measures including revoking the external provider’s access to the ticketing system, initiating an internal investigation, and engaging a specialized cybersecurity firm. The company collaborated with law enforcement to track the attackers and notified data protection authorities. “We are working closely with law enforcement to investigate this matter,” Discord stated, noting a review of threat detection systems and security controls for external providers.
This is not the first time Discord has faced security issues; users on Reddit pointed out that this is the “third breach this year” on the support side, raising questions about the effectiveness of the company’s auditing of external partners. A report by a security firm described support services as the “weakest link” in such attacks.
