Discord is standing firm against cybercriminals who claim to have stolen sensitive data from millions of users. The messaging platform confirms that hackers breached a third-party customer service provider and accessed government ID photos, but the company strongly disputes the scale of the attack. While criminals demand millions in ransom payments, Discord refuses to negotiate with the attackers.
The breach that shocked the gaming world
On September 20, 2025, hackers gained unauthorized access to Discord’s customer support systems through a third-party vendor. The attack wasn’t a direct breach of Discord’s main platform, but rather targeted the external company that handles customer service tickets and age verification appeals.
The cybercriminal group behind the attack calls itself Scattered Lapsus$ Hunters. This coalition combines members from three notorious hacking organizations: Lapsus$, Scattered Spider, and ShinyHunters. These groups are known for their sophisticated social engineering tactics and aggressive extortion campaigns.
“An unauthorized party targeted our third-party customer support services to access user data, with a view to extort a financial ransom from Discord”, the company explained in its official statement.
The numbers don’t add up
Discord and the hackers are telling very different stories about how many people were affected. The criminals claim they stole data from 5.5 million unique users, including 2.1 million government ID photos. However, Discord strongly disputes these figures.
According to Discord’s investigation, approximately 70,000 users may have had their government ID photos exposed. That’s a massive difference – about 30 times smaller than what the hackers claim. This huge gap suggests the criminals might be inflating the numbers to increase pressure for ransom payments.
The hackers say they maintained access to Discord’s support systems for 58 hours and stole 1.6 terabytes of data. This allegedly includes around 8.4 million support tickets and over 580,000 age verification cases. Discord hasn’t confirmed these specific numbers but acknowledges that some users who contacted customer support were affected.
What information was actually stolen
The confirmed stolen data includes several types of sensitive information. For users who contacted Discord’s customer support or Trust & Safety teams, hackers potentially accessed:
- Full names and Discord usernames
- Email addresses and contact information
- IP addresses from support interactions
- Messages and attachments sent to customer service
- Limited billing information like payment types and last four credit card digits
- Purchase history and transaction details
Most concerning are the government ID images from users who appealed age verification decisions. These documents include driver’s licenses, passports, and other official identification cards that can’t be easily replaced if misused.
“The unauthorized party also gained access to a small number of government-ID images (e.g., driver’s license, passport) from users who had appealed an age determination”, Discord confirmed in their breach notification.
The ransom demands escalate
The hackers initially demanded $5 million from Discord to delete the stolen data and keep it private. When Discord refused to pay, the criminals reduced their demand to $3.5 million. The company continued to reject all ransom demands.
According to cybersecurity reporters who spoke with the hackers, negotiations occurred between September 25 and October 2. The talks broke down when Discord went public with the breach announcement instead of agreeing to pay.
The criminals say they’re “extremely angry” about Discord’s refusal to negotiate. They’re now threatening to release the stolen data publicly through their dark web leak site. This follows the typical pattern of modern ransomware groups who use public shame and data leaks to pressure victims.
“We will not reward those responsible for their illegal actions”, Discord stated firmly in response to the ransom demands.
The age verification problem
Discord only collected government IDs because of legal requirements for age verification. Various countries and jurisdictions now require social media platforms to verify users’ ages, especially for accessing age-restricted content or features.
The UK’s Online Safety Act is a prime example of these new regulations. It forces platforms to implement “highly effective” age checks to prevent minors from accessing adult content. Similar laws exist in multiple US states and other countries.
This creates a difficult situation for companies like Discord. They must collect sensitive personal documents to comply with the law, but storing these documents creates attractive targets for cybercriminals. Government IDs contain far more information than just age – they include addresses, license numbers, and other data useful for identity theft.
“Security experts warned that these types of scenarios would be more likely to occur, as hackers now know that companies might have vast stores of this type of sensitive personal information”, according to security researchers who predicted these risks.
The third-party vendor connection
While Discord hasn’t officially named the compromised vendor, multiple sources identify it as Zendesk. Zendesk is a popular customer service platform used by thousands of companies worldwide. The hackers themselves claimed they breached Discord’s Zendesk instance.
The attack didn’t exploit a vulnerability in Zendesk’s software. Instead, the criminals compromised a support agent’s account through social engineering tactics. This agent worked for a business process outsourcing (BPO) company that Discord hired to handle customer support.
BPO companies have become popular targets for hackers because they provide backdoor access to multiple client companies. By compromising one BPO employee, criminals can potentially access dozens of different customer environments.
Zendesk confirmed to reporters that their own systems weren’t breached and that the attack didn’t stem from any vulnerabilities in their platform. However, this doesn’t change the fact that millions of users’ sensitive data was stored in Zendesk-based systems.
Discord’s immediate response
Discord acted quickly once they discovered the breach. The company immediately revoked the third-party vendor’s access to their ticketing system and launched an internal investigation. They also engaged a computer forensics firm and notified law enforcement agencies.
All affected users are receiving email notifications from Discord’s official address: discord-noreply@discord.com. The company warns users to be suspicious of any phone calls claiming to be from Discord about this incident. Discord only communicates about security matters through official email channels.
The platform emphasizes that core Discord functionality wasn’t affected. Private messages, server communications, passwords, and full credit card numbers were not accessed. The breach only affected data that users shared directly with customer support agents.
The broader implications for online privacy
This incident highlights the unintended consequences of age verification mandates. Laws designed to protect children have created new privacy risks for all users. Companies must now collect and store sensitive documents that become targets for cybercriminals.
The problem will likely get worse as more governments implement age verification requirements. Every new law creates additional databases of government IDs that hackers can target. Unlike passwords or credit cards, stolen identification documents can’t be easily replaced.
Privacy advocates have long warned about this scenario. Mandatory age verification creates “honeypots” of sensitive personal data that inevitably attract criminal attention. The Discord breach proves these warnings were justified.
The situation also demonstrates how third-party vendors can undermine security. Even if Discord’s own systems are secure, they’re only as safe as their weakest partner. Supply chain attacks through vendors have become increasingly common.
What users can do to protect themselves
Discord users should immediately check their email for breach notifications. If you contacted Discord customer support or submitted ID documents for age verification, you might be affected. The company is notifying everyone whose data was potentially compromised.
For users whose government IDs were stolen, the risks are particularly serious. Consider signing up for identity theft monitoring services and watch your credit reports carefully. Criminals often use stolen IDs to open new accounts or apply for loans.
Be extra cautious about phishing attempts that might exploit this breach. Scammers could use the stolen information to send convincing fake messages claiming to be from Discord or other companies. Never click links or download attachments from unexpected emails.
Users should also review their privacy settings on Discord and other platforms. Consider whether you really need to verify your age on services where it’s optional. Each additional verification creates another potential point of failure.
The criminal group behind the attack
Scattered Lapsus$ Hunters represents a new evolution in cybercrime organization. By combining expertise from three different hacking groups, they can execute more sophisticated attacks. Lapsus$ brings social engineering skills, Scattered Spider adds IT infrastructure knowledge, and ShinyHunters contributes data theft expertise.
This coalition has been active throughout 2025, targeting major companies including Salesforce, Microsoft, and various government agencies. They typically use social engineering to compromise employee accounts rather than exploiting technical vulnerabilities.
The group operates primarily through Telegram channels where they coordinate attacks and share stolen data. They often mock their victims publicly and use social media pressure as part of their extortion tactics. This psychological warfare approach has proven effective against some organizations.
Security researchers note that many members of these groups are surprisingly young, often teenagers with advanced technical skills. However, their youth doesn’t make them less dangerous – if anything, it makes them more unpredictable and willing to take risks.
The industry response and future prevention
The Discord breach has prompted renewed discussions about customer service security. Many companies are reevaluating their third-party vendor relationships and implementing additional security controls for support systems.
Zendesk and other customer service platforms are likely to face increased scrutiny from potential customers. Companies will demand stronger security guarantees and may require additional insurance coverage for vendor-related breaches.
The incident also highlights the need for better age verification alternatives. Some experts suggest using privacy-preserving technologies that can confirm age without storing actual government documents. However, these solutions are still in development and may not satisfy regulatory requirements.
For now, companies caught between legal compliance and security risks have few good options. They must either collect sensitive documents and risk breaches, or face regulatory penalties for non-compliance. This Discord incident shows the real costs of this impossible choice.
The long-term solution likely requires changes to age verification laws themselves. Legislators need to understand that mandatory ID collection creates security risks that may outweigh the privacy benefits they’re trying to achieve. Until laws change, incidents like this Discord breach will continue happening.
