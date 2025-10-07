The takeaway: Discord has disclosed that a breach at one of its external customer service vendors exposed personal information belonging to a subset of users. Although Discord's core platform was not affected, the incident underscores how vulnerabilities in third-party vendors can still provide attackers with opportunities to access sensitive data.

According to the company, an "unauthorized party" infiltrated the systems of the unnamed third-party vendor, accessing data related to users' interactions with Discord's customer support and trust & safety teams. Once the breach was detected, the vendor's access to Discord's ticketing system was revoked, and security reviews were initiated to assess the full scope of the exposure.

The potentially compromised information includes names, Discord usernames, email addresses, and other contact details provided during customer support interactions. Limited billing data such as payment type, the last four digits of a credit card, and purchase history associated with an account may also have been accessed, along with IP addresses and message histories between users and Discord service agents.

Additionally, the attacker obtained a small number of government ID images submitted by users appealing age verification decisions, including scans of driver's licenses and passports. Discord stated that users in this category will be notified directly.

More sensitive financial credentials, such as full credit card numbers and CVV codes, were not affected. User passwords, authentication data, and general activity on the platform outside of support interactions also remained secure.

The breach was further complicated by an attempted extortion, with the attacker reportedly trying to demand a financial ransom from Discord. The company has not disclosed whether any payment was made.

Discord described the impact as limited to a small number of users, though it did not provide an exact figure. Notification emails are being sent from the official noreply@discord.com address, and the company emphasized that it will not contact affected users by phone regarding the incident.

In response, Discord has informed relevant data protection authorities, strengthened threat detection systems for external vendors, and is auditing third-party security controls. The company also urged impacted users to remain vigilant for phishing attempts or suspicious messages and to report them through official channels.