Full Report
Divya reports: The popular communication platform Discord is confronting a major extortion attempt after cybercriminals breached one of its third-party customer service providers, compromising sensitive user data including government identification photos used for age verification. Threat actors claim to have exfiltrated 1.5 terabytes of sensitive information, including over 2.1 million government-issued identification photos. However, Discord disputes these figures, stating that... Source
Analysis Summary
# Incident Report: Third-Party Vendor Breach Exposes Discord User ID Photos
## Executive Summary
Discord confirmed a data breach stemming from the compromise of one of its third-party customer service providers, impacting user PII submitted during age verification processes. The incident, which occurred in September 2025, resulted in the potential exposure of approximately 70,000 government ID photos used for age appeals. Discord responded by revoking vendor access, engaging forensics experts, and notifying affected users and law enforcement.
## Incident Details
- Discovery Date: Shortly before October 8, 2025 (based on notification date)
- Incident Date: September 20, 2025
- Affected Organization: Discord and its users
- Sector: Communication Platform / Social Media
- Geography: Global (Impact on users worldwide)
## Timeline of Events
### Initial Access
- Date/Time: September 20, 2025 (The date the compromise occurred)
- Vector: Compromise of a third-party customer service provider, Zendesk (implied, as customer support systems managed by them were affected).
- Details: An unauthorized party targeted and breached the systems managed by Discord's third-party vendor used for customer support functions.
### Lateral Movement
- *Not explicitly detailed.* The focus was on direct access to the vendor's ticketing system containing user support interactions and verification artifacts.
### Data Exfiltration/Impact
- Threat actors claimed 1.5 TB of data exfiltration, including over 2.1 million government ID photos.
- Discord confirmed approximately 70,000 users potentially had their government-ID photos exposed.
- Other exposed data included names, usernames, emails, contact details, limited billing info (last four CC digits, payment type), IP addresses, and messages related to support tickets.
### Detection & Response
- Detection: Discord "recently discovered" the incident (prior to October 8, 2025 update).
- Response actions taken: Immediately revoked the vendor’s access to the ticketing system, launched an internal investigation, engaged a leading computer forensics firm, and notified law enforcement. Affected users were being notified via email.
## Attack Methodology
- Initial Access: Compromise of a third-party vendor's customer support infrastructure (likely via malware, credential stuffing, or vulnerability exploitation targeting the vendor).
- Persistence: *Not detailed.* Likely through the unauthorized access maintained until Discord revoked vendor access.
- Privilege Escalation: *Not detailed.* Assumed the attacker exploited existing privileged access within the vendor's environment to access sensitive data stores.
- Defense Evasion: *Not detailed.*
- Credential Access: *Not detailed.*
- Discovery: *Not detailed.*
- Lateral Movement: *Not detailed.*
- Collection: Gathering data from user records, including messages and uploaded government ID images used for age verification appeals.
- Exfiltration: Claimed 1.5 TB of data stolen, focusing on PII and ID photographs.
- Impact: Extortion attempt directed at Discord and eventual public exposure of user PII/ID photos.
## Impact Assessment
- Financial: Extortion attempt was initiated against Discord. Costs related to forensic investigation and remediation are implied.
- Data Breach: Approximately 70,000 government ID photos, alongside names, emails, IP addresses, support communications, and limited billing details for impacted users.
- Operational: Minor operational disruption as Discord had to immediately sever ties with the compromised vendor support system.
- Reputational: Negative press coverage resulting from the exposure of sensitive government identification photos.
## Indicators of Compromise
- *Specific IoCs (IPs, domains, hashes) were not provided in the summary text.*
- Behavioral indicators: Unauthorized access to a third-party customer service ticketing system.
- File indicators: Implied presence of exfiltrated data files related to service tickets and ID verification scans.
## Response Actions
- Containment measures: Immediately revoked the third-party customer support provider’s access to Discord’s ticketing system.
- Eradication steps: Engaged a leading computer forensics firm to support remediation efforts.
- Recovery actions: Notified relevant data protection authorities and engaged law enforcement. Proactive auditing of third-party systems scheduled.
## Lessons Learned
- Reliance on third-party vendor security can introduce significant risk, as demonstrated by an attack succeeding against the vendor rather than Discord's primary infrastructure.
- The scope of potentially exposed data, including high-sensitivity documents like government IDs, was greater than anticipated internally (threat actor claim vs. Discord confirmation).
## Recommendations
- Immediately review and enhance the security posture auditing requirements and contractual obligations for all third-party vendors handling sensitive user data, especially verification artifacts.
- Implement additional segmentation or tokenization for highly sensitive user data (like ID scans) even when stored by vetted third-party service providers.
- Review internal processes for handling age verification data to minimize retention periods and reduce the volume of PII stored by support channels.