đ October 10, 2025 | â± 4 min read | đ Category: Data Breaches
Discord is embroiled in a high-stakes standoff with cybercriminals who claim to have stolen sensitive data from 5.5 million users, including over 2 million government identification photos. The social platform insists the actual impact is far smallerâaround 70,000 ID photosâand has flatly refused to pay the attackers’ multi-million dollar ransom demand. As negotiations collapsed and threats of public data leaks escalate, the incident exposes critical vulnerabilities in how companies protect user data through outsourced business process providers.
The breach, which occurred on September 20, 2025, represents yet another case where a third-party vendor becomes the weak link in an otherwise secure infrastructure. What makes this incident particularly concerning is the type of data at risk: government-issued identification documents that users submitted for age verification, potentially enabling identity theft and fraud on a massive scale.
The 58-Hour Window That Changed Everything
The attack began when hackers gained access to Discord’s Zendesk customer support instance through a compromised support agent account. This agent worked for an outsourced business process outsourcing provider that Discord contracted to handle customer service functions. The attackers, identifying themselves as Scattered Lapsus$ Hunters, maintained unfettered access for 58 hours beginning September 20, systematically exfiltrating data before Discord detected the intrusion.
During this critical window, the hackers allegedly used Zenbar, an internal support application accessible through Zendesk, to perform various administrative tasks including disabling multi-factor authentication protections and looking up users’ personal information like phone numbers and email addresses. This level of access transformed what could have been a limited data exposure into a comprehensive breach of customer support systems.
The attackers claim to have stolen approximately 1.6 terabytes of data, consisting of 1.5 TB of support ticket attachments and over 100 GB of ticket transcripts spanning roughly 8.4 million support tickets. This massive data haul allegedly affects 5.5 million unique Discord users who interacted with the platform’s customer support or trust and safety teams.
The Great ID Photo Dispute
The most contentious aspect of the breach centers on how many government identification photos were compromised. Discord maintains that approximately 70,000 users had their ID photos exposedâdocuments submitted primarily for age verification appeals required under regulations like the UK’s Online Safety Act.
The attackers vehemently dispute this figure, claiming they obtained 2.1 million photos of government IDs, including driver’s licenses, passports, and other sensitive identification documents. Interestingly, even the hackers acknowledge uncertainty about the exact number, telling security researchers they believe it exceeds 70,000 based on the presence of approximately 521,000 age-verification related tickets in the stolen data.
This numerical discrepancy raises troubling questions about data retention practices. Why would Discord maintain government IDs after completing age verification? The company has not addressed this concern, leaving unanswered questions about whether proper data minimization principles were followed.
The stolen identification documents represent a goldmine for identity thieves and fraudsters. High-quality scans of government IDs can be used to open fraudulent accounts, apply for credit, bypass security checks, or create sophisticated phishing campaigns targeting the verified individuals.
What the Hackers Actually Stole
Beyond the disputed ID photos, the stolen data encompasses a wide range of personal information that Discord users provided during support interactions. The compromised records allegedly include email addresses, Discord usernames and unique identifiers, phone numbers, dates of birth, partial payment information, IP addresses, and internal security flags and notes.
Perhaps most concerning is the payment information exposure. The attackers claim that about 580,000 users had some form of payment data compromised, including payment types, last four digits of credit card numbers, and purchase histories. While full credit card numbers and CVV codes were not exposed, the partial information combined with other personal details creates significant fraud risks.
The hackers also allege that Zendesk integrations with Discord’s internal systems allowed them to perform millions of API queries against Discord’s database, retrieving additional information beyond what was directly stored in support tickets. If accurate, this suggests the breach extended deeper into Discord’s infrastructure than a simple support system compromise.
The BPO Vulnerability Pipeline
The Discord breach highlights a growing security challenge as companies increasingly outsource customer support and IT helpdesk functions to business process outsourcing providers. These BPO arrangements create expanded attack surfaces where security controls may be inconsistent across organizational boundaries.
When a BPO employee’s credentials are compromisedâwhether through phishing, credential stuffing, or insider threatsâattackers gain legitimate access to customer systems without needing to exploit technical vulnerabilities. The breach didn’t result from a flaw in Zendesk’s software but rather from compromised credentials belonging to an outsourced support agent.
This attack vector is particularly insidious because it bypasses many traditional security controls. The access appears legitimate from a technical perspective, making it difficult for automated systems to detect the intrusion. Only after 58 hours of unrestricted access did Discord apparently identify the unauthorized activity and revoke the compromised credentials.
Discord’s Refusal to Pay
When the attackers initially contacted Discord, they demanded a $5 million ransom to prevent public release of the stolen data. This figure was later reduced to $3.5 million as negotiations progressed between September 25 and October 2. Discord engaged in limited discussions with the hackers before ultimately refusing to pay and publicly disclosing the incident.
Discord’s stanceâthat they “will not reward those responsible for their illegal actions”âaligns with cybersecurity best practices and law enforcement recommendations against paying ransoms. However, this principled position may come at the cost of public data exposure, as the attackers have threatened to leak the stolen information after Discord ceased communications and issued its public statement.
The hackers reportedly became “extremely angry” after Discord’s public disclosure and refusal to continue negotiations, suggesting the data leak is now likely imminent. This scenario illustrates the difficult calculus organizations face when deciding whether to engage with extortionistsâpaying encourages future attacks, but refusing may result in greater harm to affected individuals.
What Comes Next
Discord has begun notifying affected users via email from [email protected], with messages specifying whether government ID photos were among the compromised data. The company has also contacted law enforcement and continues investigating the incident’s full scope.
For Discord users who interacted with customer support or submitted ID verification, the immediate priorities are monitoring for signs of identity theft or fraud, being vigilant against phishing attempts that reference specific support interactions, reviewing account security settings and enabling all available protections, and considering credit monitoring services if government IDs were exposed.
The broader cybersecurity community should view this incident as a stark reminder that third-party vendors and outsourced service providers represent critical weak points in organizational security. As the Scattered Lapsus$ Hunters demonstrated, sophisticated attackers understand that the path of least resistance often runs through contracted partners rather than directly through hardened corporate infrastructure.
Whether Discord’s 70,000 figure or the hackers’ 2.1 million claim proves accurate, the fundamental lesson remains unchanged: when companies entrust sensitive user data to third parties, they must ensure those partners maintain security standards commensurate with the sensitivity of the information being handled. In the Discord breach, that security standard appears to have fallen dangerously short.
Written by: Logan Elliott
Cyberix
https://www.cyberixsafe.com
