The communications platform Discord has recently confirmed a significant data security incident, revealing that approximately 70000 users may have had their government issued ID photos compromised. This sensitive data, which includes documents like driver's licenses and passports, was submitted by users primarily to appeal age determination decisions on the platform. The incident, which Discord first disclosed last week, has raised serious concerns about user privacy and the security of data handled by third party vendors.
The company stressed that the breach was not a compromise of Discord’s own core systems but rather an attack on a third party customer service provider it utilizes. The unauthorized party gained access to a limited number of users' information from those who had communicated with Discord’s Customer Support or Trust & Safety teams. The hackers, reportedly attempting to extort a financial ransom from Discord, have been circulating claims that they stole over two million age verification images, totaling around 1.5 terabytes of data. Discord has staunchly refuted this exaggerated figure, asserting that the number of exposed government ID photos is closer to 70000, and stated it has no intention of paying the ransom demanded by the threat actors.
In addition to the highly sensitive ID photos, the breach potentially exposed other user data for the impacted individuals. This information includes names, Discord usernames, email addresses, contact details, IP addresses, messages exchanged with customer service agents, limited billing information such as the payment type and the last four digits of credit card numbers, and purchase history. Crucially, Discord confirmed that full credit card numbers, CVV codes, passwords, or authentication data were not compromised. The data exposure highlights the inherent risks associated with third-party service dependencies, even when a company’s own infrastructure remains secure. This specific type of data, especially government IDs, presents a heightened risk of identity theft and impersonation for the affected users.
Discord immediately took swift action upon discovering the attack, which included revoking the compromised vendor’s access to its ticketing system, launching an internal investigation, and engaging a leading computer forensics firm and law enforcement to manage the crisis. The company has committed to individually notifying all affected users globally via email from an official address. Furthermore, Discord has ended its work with the compromised vendor and has reviewed its security controls for other third-party support providers, emphasizing its commitment to protecting user personal data. The breach serves as a stark reminder of the security vulnerabilities that can arise throughout a supply chain, particularly with the increasing implementation of age verification systems that necessitate the collection of sensitive documents. Users who submitted their IDs are advised to remain vigilant for suspicious communications and monitor their accounts for potential signs of identity misuse.
