Discord says some user data exposed in third-party vendor breach

Skye Jacobs

Posts: 1,991   +58
Staff
The takeaway: Discord has disclosed that a breach at one of its external customer service vendors exposed personal information belonging to a subset of users. Although Discord's core platform was not affected, the incident underscores how vulnerabilities in third-party vendors can still provide attackers with opportunities to access sensitive data.

According to the company, an "unauthorized party" infiltrated the systems of the unnamed third-party vendor, accessing data related to users' interactions with Discord's customer support and trust & safety teams. Once the breach was detected, the vendor's access to Discord's ticketing system was revoked, and security reviews were initiated to assess the full scope of the exposure.

The potentially compromised information includes names, Discord usernames, email addresses, and other contact details provided during customer support interactions. Limited billing data such as payment type, the last four digits of a credit card, and purchase history associated with an account may also have been accessed, along with IP addresses and message histories between users and Discord service agents.

Additionally, the attacker obtained a small number of government ID images submitted by users appealing age verification decisions, including scans of driver's licenses and passports. Discord stated that users in this category will be notified directly.

More sensitive financial credentials, such as full credit card numbers and CVV codes, were not affected. User passwords, authentication data, and general activity on the platform outside of support interactions also remained secure.

The breach was further complicated by an attempted extortion, with the attacker reportedly trying to demand a financial ransom from Discord. The company has not disclosed whether any payment was made.

Discord described the impact as limited to a small number of users, though it did not provide an exact figure. Notification emails are being sent from the official [email protected] address, and the company emphasized that it will not contact affected users by phone regarding the incident.

In response, Discord has informed relevant data protection authorities, strengthened threat detection systems for external vendors, and is auditing third-party security controls. The company also urged impacted users to remain vigilant for phishing attempts or suspicious messages and to report them through official channels.

Permalink to story:

 
Seems like there's a "new" internet rule: if the service exists, there's a data breach of it. If not, expect one soon.

Not sure what the solution is. Banning crypto would make it harder for breaches to be profitable.
 
And of course they followed the trend of covering their a$$es with a forced "you can only agree to the new T&C" popup, forcing arbitration if they were to get sued over this...
 
It's probably smart these days to use single-use email adresses to sign up for services so a leak won't compromise one's real email address. Besides that, DO NOT share other private information. Also, use a payment service instead of a private credit card.

I know MY email address has leaked: yesterday I received an email from a congresswoman about the I.C.E. situation...but I'm not a US citizen and not in the USA. That "lady" just BOUGHT an email adresses list so send her spam to and mine obviously was on that list. Unlikely the only list with my address on it. Perhaps it's time to ditch it after all these years.
My other (newer) address never receives unwanted messages/spam and the Plan is to keep that feature.
 
It's probably smart these days to use single-use email adresses to sign up for services so a leak won't compromise one's real email address. Besides that, DO NOT share other private information. Also, use a payment service instead of a private credit card.
Throwaway email wouldn't help for this. Those of us unfortunate enough to live in the UK have to legally provide photographic ID to access a lot of online/social content now.

Was only a matter of time before someone got hacked into. What's worse (and nobody is complaining about) is almost all including Discord say that the ID is only used to verify age and never kept afterwards - but here we are, with thew hackers making off with everyone's ID documents.

So many data breaches happen each week in the UK now, nobody bats an eyelid.
 
Seems like there's a "new" internet rule: if the service exists, there's a data breach of it. If not, expect one soon.

Not sure what the solution is. Banning crypto would make it harder for breaches to be profitable.
Its standard operating procedure for anyone who knows IT security, if its on the internet, its not safe.
 
Throwaway email wouldn't help for this. Those of us unfortunate enough to live in the UK have to legally provide photographic ID to access a lot of online/social content now.

Was only a matter of time before someone got hacked into. What's worse (and nobody is complaining about) is almost all including Discord say that the ID is only used to verify age and never kept afterwards - but here we are, with thew hackers making off with everyone's ID documents.

So many data breaches happen each week in the UK now, nobody bats an eyelid.
Discord specifically clarified that it was a small number of ID images, not everyone's lol:
Discord said:
The unauthorized party also gained access to a small number of government‑ID images (e.g., driver’s license, passport) from users who had appealed an age determination. If your ID may have been accessed, that will be specified in the email you receive.
Discord does delete ID images, but not if you make an appeal. Here's the support page on verifying your age (it does say they delete ID images): https://support.discord.com/hc/en-u...3-How-to-Complete-Age-Verification-on-Discord
And here's the support page on appealing a failed age verification (it doesn't say they delete ID images): https://support.discord.com/hc/en-u...se-Discord-in-my-country-but-I-got-locked-out
 
Last edited:
I don't know why people are worried about it, once digital id's are forced on us and they get hacked this will look minor.
 
Back