Discord Breach: What We Know So Far?

Discord confirmed a data breach linked to a third-party customer support vendor. Hackers claim to have stolen data from 5.5 million users, including government IDs and partial payment details. Discord says the real number of affected users is much smaller and refuses to pay ransom to the attackers.

[16.10.2025] Update: Zendesk clarified that the breach did not involve its systems. The company said its platform was not compromised and that the incident did not arise from any vulnerability within Zendesk.

Discord later confirmed that the breach involved 5CA, another third-party service provider used for customer support.

5CA also released a statement saying its own systems were not compromised and that it has not handled any government-issued IDs for Discord. The company said an ongoing forensic investigation indicates the incident occurred outside its systems, with no impact on other clients or data. Preliminary findings suggest the issue may have resulted from human error.

What Happened?

According to Discord, hackers gained access to a third-party support system used by Discord, not Discord’s main platform. Hackers claim to have stolen 1.6 terabytes of data, which includes user support tickets, government ID photos, and partial billing details.

Discord says: “This was not a breach of Discord, but rather a third-party service we use to support our customer service efforts.”

How Did The Attackers Get In?

The attackers say they accessed Discord’s instance for around 58 hours starting on September 20, 2025.

They claim the entry point was a compromised account of a support agent working for a Business Process Outsourcing (BPO) company used by Discord.

These outsourced support providers are often a target because they handle sensitive user data for many companies.

What Kind of Data Was Stolen?

The hackers say they took:

• 1.5 TB of attachments, like ID photos and screenshots.
• 100 GB of ticket transcripts.
• Around 8.4 million support tickets involving 5.5 million unique users.
• Partial payment data for about 580,000 users.

However, Discord disagrees with these numbers.

What Data Might Be Exposed?

Discord confirmed that a limited number of users had the following information accessed:

• Real names and usernames
• Email addresses and contact details
• Photos of government-issued IDs (driver’s license or passport)
• Partial billing details, like payment type and the last four credit card digits

No complete credit card numbers or direct messages were stolen.

What Does Discord Say?

Discord released a public statement to clarify the situation.

• Only around 70,000 users had government ID photos exposed.
• Claims of 2.1 million leaked ID photos are false and exaggerated.
• The attackers are trying to extort Discord for money.
• Discord will not pay the hackers.

A Discord spokesperson told BleepingComputer:

“First, as stated in our blog post, this was not a breach of Discord, but rather a third-party service we use to support our customer service efforts. 

Second, the numbers being shared are incorrect and part of an attempt to extort a payment from Discord. Of the accounts impacted globally, we have identified approximately 70,000 users that may have had government-ID photos exposed, which our vendor used to review age-related appeals.”

What Did The Hackers Leak?

After the breach, hackers started posting screenshots from Discord’s internal support tools. These images appeared to show user support tickets, account details, and even the internal Zenbar support dashboard.

Who Is Behind The Attack?

When the Discord’s alleged Zendesk breach first surfaced, it’s believed that the group Scattered Lapsus$ Hunters (SLH) was responsible.

This assumption came after SLH announced that they had compromised Discord’s Okta and Kolide systems around the same time. Because of that, some observers thought the group was also behind the breach.

However, SLH later denied any involvement in the compromise.
In messages shared on their Telegram channel, the group said:

“We never took credit for the Discord Zendesk compromise. We actually did pop their Okta at the same time … vxunderground believed we were behind the Zendesk compromise. We never corrected him because it was hilarious and we know the truth would come out.”

They also said the real perpetrators are part of a broader hacker ecosystem:

“We know the actual ones who have done the Discord Zendesk compromise. Everything is pretty interconnected around here.”

So, SLH claims they know who did it, but they are not identifying that group publicly. Their comments also show how closely connected various threat groups are–sometimes working in parallel or sharing tools and information.

How Did Discord Respond?

Discord says it acted quickly after discovering the incident:

1. Revoked access for the third-party vendor.
2. Isolated the affected systems.
3. Launched an internal investigation.
4. Brought in a forensics team to assess the breach.
5. Involved law enforcement.

The company also started notifying affected users directly.

What Should Users Do?

If you have interacted with Discord support recently or uploaded an ID for verification:

• Be cautious with emails pretending to be from Discord.
• Do not click links asking you to reverify your account.
• Turn on two-factor authentication (2FA).

Why Does It Matters?

The Discord breach is a clear reminder that security depends on every link in the chain. Even if a company protects its own systems, a single weak vendor can open the door to attackers.

The stolen data, emails, IDs, and partial billing info, can easily feed phishing, impersonation, and identity fraud campaigns.

To lower these risks, organizations can use SOCRadar’s Supply Chain Intelligence to continuously monitor third-party security posture, and Identity & Access Intelligence to uncover compromised credentials, detect abnormal access, and trace how and where that access was exposed.

Strong defenses mean protecting not just your organization, but everyone connected to it.