Full Report
Hackers stole partial payment information and personally identifying data associated with some Discord users after compromising a third-party customer service provider. [...]
Analysis Summary
# Incident Report: Third-Party Breach Exposes Discord User Data
## Executive Summary
Discord suffered a data breach due to a compromise of a third-party customer service provider accessed on September 20, 2025. The incident resulted in the exposure of personally identifying information (PII), contact details, limited payment information, and sensitive documents (IDs) for an unspecified, but limited, number of users who interacted with Discord support. Discord has taken containment steps, revoked access, and engaged forensic experts and law enforcement.
## Incident Details
- **Discovery Date:** Undisclosed, but publicly disclosed on Friday following the September 20th attack.
- **Incident Date:** September 20, 2025
- **Affected Organization:** Discord
- **Sector:** Social Communication/Technology (Gaming Platform)
- **Geography:** Undisclosed
## Timeline of Events
### Initial Access
- **Date/Time:** September 20, 2025
- **Vector:** Compromise of a third-party customer service system utilized by Discord.
- **Details:** An unauthorized party gained limited access to the external ticketing system. The specific access vector is undisclosed.
### Lateral Movement
- **Details:** Attackers were able to access data stored within the compromised customer service provider’s system, which included user information tied to support interactions.
### Data Exfiltration/Impact
- **Details:** Attackers stole PII (real names, usernames, emails, contact details), IP addresses, messages/attachments sent to support agents, partial billing information (last four credit card digits, payment type, purchase history), and photos of government-issued IDs (driver's licenses, passports) for a small subset of users. The incident was financially motivated, as attackers demanded a ransom.
### Detection & Response
- **How it was discovered:** Discord identified the unauthorized access.
- **Response actions taken:** Discord immediately worked to isolate the support provider from its ticketing system, launched an internal investigation, engaged a leading computer forensics firm, and notified law enforcement.
## Attack Methodology
- **Initial Access:** Compromise of a vetted third-party vendor system.
- **Persistence:** Not explicitly documented, but access was maintained long enough to exfiltrate sensitive records.
- **Privilege Escalation:** Not applicable/undisclosed; access was likely obtained based on the third party's existing access level.
- **Defense Evasion:** Not detailed, but the use of a third-party vendor inherently bypassed primary security controls protecting the core system.
- **Credential Access:** Unclear if credentials were stolen, or if data was accessed directly via the vendor's authenticated session.
- **Discovery:** Unknown, but likely involved reconnaissance within the vendor's environment to locate sensitive user data.
- **Lateral Movement:** Movement was confined to—or originated from—the compromised third-party system.
- **Collection:** Gathering of PII, authentication documents, and partial payment data associated with support tickets.
- **Exfiltration:** Data was stolen with the intent to extort Discord via a ransom demand.
- **Impact:** Exposure of comprehensive identity data, potentially compromising user security across other platforms (e.g., crypto accounts).
## Impact Assessment
- **Financial:** Undisclosed ransom demand was made. Costs associated with forensics, remediation, and notification are implied.
- **Data Breach:** Personally identifying information (names, emails, usernames), partial payment details (last four digits of cards, type), communication history, IP addresses, and photos of government IDs.
- **Operational:** Minor disruption to the support system, requiring isolation and investigation.
- **Reputational:** Negative press regarding the scope of personal data exposed, including government ID photos.
## Indicators of Compromise
- **Network indicators:** Insufficient detail provided (no specific IPs or domains mentioned).
- **File indicators:** Presence of stolen user records, potentially including images of ID documents.
- **Behavioral indicators:** Unauthorized high-volume data retrieval from the third-party customer service database.
## Response Actions
- **Containment measures:** Revoking the customer support provider’s access to Discord’s ticketing system immediately.
- **Eradication steps:** Forensic investigation launched to confirm the scope and ensure the attacker has no lingering access.
- **Recovery actions:** Engagement of external forensic experts and coordination with law enforcement.
## Lessons Learned
- The reliance on third-party providers introduces significant risk, potentially exposing highly sensitive user data stored within those vendor systems.
- The data stolen is highly sensitive ("literally people's entire identity"), indicating a significant risk to the affected users.
## Recommendations
- Conduct a thorough security audit of all third-party vendors with access to sensitive customer data, focusing on access segmentation and data retention policies.
- Review and minimize the amount of PII and sensitive documents (like government IDs) stored by customer support third parties.
- Implement stronger multi-factor authentication and strict access controls for all external services integrated with the core platform.