Full Report
Hackers stole partial payment information and personally identifiable data, including names and government-issued IDs, from some Discord users after compromising a third-party customer service provider. [...]
Analysis Summary
# Incident Report: Discord Support System Data Breach
## Executive Summary
Hackers gained unauthorized access to a third-party customer service system utilized by Discord on September 20, 2025, leading to the exfiltration of sensitive user data, including PII, partial payment details, and government IDs for a small subset of users. Discord responded by immediately revoking the vendor's access, engaging forensics experts, and involving law enforcement, though the attack vector remains publicly undisclosed.
## Incident Details
- Discovery Date: September 20, 2025 (Implied, as the attack occurred on this date)
- Incident Date: September 20, 2025
- Affected Organization: Discord (via a third-party customer service provider)
- Sector: Technology/Social Communication Platform
- Geography: Not specified (Global platform)
## Timeline of Events
### Initial Access
- Date/Time: September 20, 2025
- Vector: Compromise of a third-party customer service system (allegedly a Zendesk instance used by Discord).
- Details: An unauthorized party gained limited access to the vendor's ticketing system. Threat group SLH claimed responsibility.
### Lateral Movement
- Details: Not explicitly detailed, but the access was confined to the third-party customer service system which contained user support tickets and associated data. Access to an internal admin console (Kolide ACL linked to Okta) was observed by the threat actor.
### Data Exfiltration/Impact
- Details: Hackers exfiltrated personally identifying information (real names, usernames, email addresses, contact details), IP addresses, messages/attachments sent to support, partial payment information (payment type, last four credit card digits, purchase history), and photos of government-issued IDs for a limited number of users. Hackers demanded a ransom.
### Detection & Response
- Date/Time: Incident disclosed publicly on Friday, October 4, 2025.
- Details: Discord took immediate action to isolate the support provider from its ticketing system, launched an internal investigation, engaged a leading computer forensics firm, and engaged law enforcement. Discord also revoked the support provider's access.
## Attack Methodology
- Initial Access: Compromise of a third-party customer service provider's system (suspected Zendesk instance).
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed.
- Discovery: Not detailed, likely reconnaissance within the compromised vendor's environment.
- Lateral Movement: Movement within the compromised third-party environment to access stored support data or related systems.
- Collection: Theft of user data contained within support tickets, including PII and ID document images.
- Exfiltration: Ransom demand suggests data was moved off-network for extortion.
- Impact: Data breach involving sensitive identity and financial information.
## Impact Assessment
- Financial: Ransom demanded (details not specified). Costs associated with forensics, remediation, and potential notification expenses.
- Data Breach: Personally identifiable information (names, emails, contact details), partial payment information (last 4 digits, type), purchase history, support correspondence, and photos of government-issued IDs (driver's licenses, passports) for a limited number of users.
- Operational: Temporary disruption of the use of the specific third-party support provider/ticketing system.
- Reputational: Public disclosure of a breach involving highly sensitive identity documents.
## Indicators of Compromise
- *Note: No specific network IPs or file hashes were provided in the summary text, therefore this section contains behavioral descriptions where possible.*
- Network Indicators: (None specified, defanged)
- File Indicators: (None specified)
- Behavioral Indicators: Unauthorized access to the third-party customer service ticketing system; observation of Kolide access control lists related to employee admin consoles.
## Response Actions
- Containment: Revoking the third-party customer support provider’s access to Discord’s ticketing system.
- Eradication: Forensic investigation initiated (details not fully specified).
- Recovery Actions: Engagement of a leading computer forensics firm and law enforcement.
## Lessons Learned
- Over-reliance on third-party vendors for handling sensitive customer interaction data creates significant inherent risk.
- The exposure of government ID images represents a critical risk requiring immediate review of vendor data retention policies.
- A data set containing PII, partial financial data, and ID documents is highly valuable to threat actors ("literally peoples entire identity").
## Recommendations
- Conduct a thorough security audit of all third-party vendor environments that process or store sensitive customer data, focusing heavily on access controls and data minimization standards.
- Review current data retention policies for customer support systems to ensure PII and sensitive documents (like ID scans) are purged immediately after resolution or are stored within Discord’s primary, fully controlled infrastructure if necessary.
- Enhance monitoring and auditing capabilities around integrations with customer support platforms to rapidly detect anomalous data access patterns originating from vendor environments.