Full Report
Jay Peters reports: 5CA is a customer service support company that works with Discord. Recently, the chat platform said the vendor had been breached as part of a “security incident” where 70,000 government ID photos may have leaked. Now, 5CA says in a post on its website that it was “not hacked.” According to Discord, “this incident impacted a... Source
Analysis Summary
# Incident Report: Discord Customer Support Vendor Data Exposure
## Executive Summary
Discord reported a security incident resulting from a compromise impacting their third-party customer service provider, 5CA, potentially exposing the government ID photos of approximately 70,000 users who had interacted with support teams. However, the vendor, 5CA, publicly denied the report, asserting that none of their systems were breached and that they do not handle government-issued IDs for this client. The incident highlights significant supply chain risk associated with third-party data handling.
## Incident Details
- **Discovery Date:** Not explicitly disclosed, but reports surfaced around October 14, 2025.
- **Incident Date:** Not explicitly disclosed.
- **Affected Organization:** Discord (Victim of breach at third-party vendor) and 5CA (Vendor).
- **Sector:** Social/Communication Platform, Customer Service Support.
- **Geography:** Not specified publicly in the summary data.
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown.
- **Vector:** Allegedly a breach of the third-party vendor, 5CA.
- **Details:** Incident impacted users who communicated with Discord’s Customer Support or Trust & Safety teams.
### Lateral Movement
- Not detailed in the provided summary, as the reported focus was on the vendor's system compromise.
### Data Exfiltration/Impact
- **What was stolen or damaged:** Potentially 70,000 users' government ID photos, which were used by the vendor for age-related appeals review.
### Detection & Response
- **How it was discovered:** Discord detected the security incident involving their vendor.
- **Response actions taken:** Discord communicated the breach to the public, attributing it to the vendor 5CA, and began notifying affected users.
## Attack Methodology
- **Initial Access:** Not detailed; implied network intrusion or vulnerability exploitation targeting the third-party vendor (5CA).
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown.
- **Credential Access:** Unknown.
- **Discovery:** Unknown.
- **Lateral Movement:** Unknown.
- **Collection:** Data (Government ID photos) related to customer service interactions was accessed.
- **Exfiltration:** Implied data theft from the vendor's environment.
- **Impact:** Exposure of sensitive personally identifiable information (PII) for a subset of users.
## Impact Assessment
- **Financial:** Not estimated in the provided text.
- **Data Breach:** Potentially 70,000 government ID photos exposed.
- **Operational:** Potential disruption to user trust regarding data handling by customer support processes.
- **Reputational:** Negative exposure for Discord due to reliance on a compromised third party.
## Indicators of Compromise
- *No specific IoCs (URLs, IPs, files) were provided in the source material.*
- **Behavioral indicators:** Unauthorized access to customer support records containing sensitive verification documents.
## Response Actions
- **Containment measures:** Not detailed, but would typically involve isolating vendor access/systems post-discovery.
- **Eradication steps:** Not detailed.
- **Recovery actions:** Notification of affected users by Discord.
## Lessons Learned
- **Key takeaways:** Critical reliance on third-party vendor security posture (supply chain risk) when handling sensitive customer verification data (like government IDs).
- **What could have been done better:** Discord needed clearer articulation or verification of the scope of compromise, as the vendor directly contradicted the established narrative regarding system involvement and data type held.
## Recommendations
- Conduct rigorous, external validation (audits/pen-tests) of third-party vendors handling highly sensitive PII like government IDs before data sharing.
- Minimize the scope of PII shared with third-party vendors; ensure vendors only possess data strictly necessary for their contracted function.
- Establish clear, immediate communication protocols with vendors in the event of a suspected incident to ensure unified factual reporting.