Discord Data Breach Exposes User IDs and Government Documents

Major Security Incident Hits Discord Users

Discord, the popular communication platform with over 150 million monthly active users, has confirmed a significant data breach affecting users who contacted its customer support services. The security incident occurred through a compromised third-party customer service provider, exposing sensitive personal information including government-issued identification documents.

What Information Was Compromised?

According to Discord's official statement and security experts, the breach exposed a wide range of user data including full names, Discord usernames, email addresses, contact details, IP addresses, and limited billing information. Most concerningly, the breach included government-issued photo IDs such as driver's licenses and passports that users had submitted for age verification purposes.

'This is one of the worst-case scenarios for ID age verification,' said cybersecurity expert Mark Johnson. 'When users are required to submit sensitive government documents, they trust companies to protect that information. This breach shows how vulnerable that data can be.'

How the Breach Occurred

The security incident took place on September 20, 2025, when an unauthorized party infiltrated one of Discord's external customer service providers. The hackers gained access to Discord's customer support ticketing system through the compromised vendor, reportedly seeking financial ransom in a ransomware-style attack.

Discord clarified in their official statement: 'Zodra we ons bewust werden van deze aanval, hebben we onmiddellijk maatregelen genomen om de situatie aan te pakken. Dit omvatte het intrekken van de toegang van de klantenserviceprovider tot ons ticketsysteem, het starten van een intern onderzoek, het inschakelen van een toonaangevend computerforensisch bedrijf om ons onderzoek en onze herstelmaatregelen te ondersteunen, en het inschakelen van wetshandhavingsinstanties.'

User Impact and Response

Discord has begun notifying affected users via email from noreply@discord.com, though this approach has drawn criticism for limiting user communication options. The company has assured users that their private messages, full credit card numbers, passwords, and physical addresses were not compromised.

'The use of a noreply email address for such sensitive notifications is problematic,' noted privacy advocate Sarah Chen. 'Users who have questions or need immediate assistance should have direct communication channels available when their most sensitive personal information has been exposed.'

Security Implications and Industry Concerns

This incident highlights growing concerns about mandatory age verification policies that require users to submit government identification. With regulations like the UK's Online Safety Act and similar measures in some US states, companies are increasingly collecting sensitive ID documents that become attractive targets for cybercriminals.

The hacking group "Scattered Lapsus$ Hunters" has claimed responsibility for the attack, sharing screenshots of internal Discord tools and threatening to publish additional stolen material on their data leak site.

What Users Should Do

Affected users should remain vigilant for phishing attempts and monitor their accounts for suspicious activity. While Discord has taken steps to contain the breach, the exposure of government IDs creates significant identity theft risks that may require additional protective measures.

Discord's response includes revoking the compromised provider's access, launching an internal investigation with forensic experts, and collaborating with law enforcement agencies. The company has emphasized that its core systems were not directly breached, but the incident serves as a stark reminder of the security risks inherent in third-party vendor relationships.