Discord Data Breach Exposes User IDs, Billing Info, and Photo IDs

Discord, the widely used communication platform for gamers and online communities, confirmed a data breach involving one of its third-party customer service providers, resulting in unauthorized access to sensitive user information. 

In an official statement, Discord revealed that attackers compromised the systems of an external vendor—reportedly Zendesk—to access support ticket queues containing customer data. 

Although Discord’s core infrastructure was not breached, the attack underscores ongoing risks tied to third-party service dependencies.

What was exposed

The stolen data primarily affects users who recently contacted Discord’s Customer Support or Trust & Safety teams. 

Compromised information includes usernames, email addresses, IP addresses, and transcripts of support conversations. Limited billing details, such as payment methods and the last four digits of credit cards, were also exposed. 

Most concerning, the attackers accessed a small number of government-issued IDs submitted for age verification purposes—documents that increase the risk of identity theft.

Discord emphasized that passwords, full credit card numbers, and general private messages were not compromised. 

The company immediately revoked the vendor’s system access, launched a forensic investigation with a third-party cybersecurity firm, and reported the incident to law enforcement and data protection authorities.

Who’s behind the attack

While Discord has not publicly attributed the breach, a threat actor group calling itself Scattered Lapsus$ Hunters—believed to be a collaboration of Scattered Spider, Lapsus$, and ShinyHunters—has claimed responsibility. 

The group posted screenshots on Telegram allegedly showing access to Discord’s internal tools and administrative panels. They mocked Discord’s security measures, boasting about the breach and hinting at plans to release additional data. 

The attackers also derided the company’s response measures, including its temporary suspension of Okta and Kolide logins.

Their taunting messages and public proof-of-access claims suggest the attack may have been motivated by extortion. Discord confirmed the incident began as an attempted ransom demand, aligning with the group’s known tactics of leveraging stolen data for financial gain and publicity.

Discord’s response

Discord acted quickly once the breach was discovered. 

The company severed connections with the compromised provider, implemented enhanced access controls, and began auditing all third-party service integrations. It has also started notifying affected users via email.

However, the notification campaign has inadvertently triggered confusion among users, with reports of phishing emails impersonating Discord’s breach alerts circulating online. 

Security professionals warn that cybercriminals may exploit this situation by sending fake notifications to harvest additional credentials or personal data.

Discord’s transparency and quick containment efforts have been commended, but the incident reignites concerns about the security oversight of third-party vendors—a recurring weak point in the supply chain of major tech platforms.

What users should do

Users affected by the breach should treat any unexpected emails or messages claiming to be from Discord as suspicious. 

Verify communications by checking the official sender address and never click on embedded links or attachments from unverified sources. Impacted users should also:

• Monitor for identity misuse — particularly if a government ID was submitted for verification.
• Check financial statements for unauthorized activity.
• Rotate credentials associated with the email linked to their Discord account.
• Enable MFA to reduce the risk of future account compromise.

The Discord breach highlights a growing challenge for organizations that outsource customer support or identity verification functions. Even when a platform’s internal systems remain secure, third-party weaknesses can still expose sensitive data and erode user trust.

For enterprises, this serves as another reminder: vendor access and data sharing must be continuously audited and governed by zero-trust principles.