Discord confirms data breach exposing ID photos of 70,000 users through third-party vendor

Discord has confirmed a security incident involving one of its third-party vendors that has led to the exposure of government-issued identification photos belonging to approximately 70,000 users. This breach specifically targeted data handled by the vendor, 5CA, used for customer service and age verification appeals.

The requirement for users to submit government ID scans, such as a driver’s license or passport, is tied to Discord’s efforts to comply with new regulations, specifically the UK’s Online Safety Act and the EU’s Digital Services Act. These laws place a legal obligation on platforms to ensure age-appropriate experiences, which sometimes requires users to verify their age. The compromised photos were those submitted by users to Discord’s customer service to review age-related appeals.

What information was compromised?

Discord has been clear that this was a breach of a vendor’s system, not the core Discord platform itself. While the company stated that a confirmed 70,000 users may have had their government ID photos exposed, the incident affected a wider pool of users who had recently interacted with the Customer Support or Trust & Safety teams.

Information that may have been accessed by the unauthorized party includes:

• Government-ID Images: A small number of documents used for age-related appeals.
• Customer Support Data: Name, Discord username, email, and other contact details provided to the support team.
• Limited Financial Data: Payment type, the last four digits of a credit card, and purchase history associated with the account.
• Technical Details: IP addresses and messages exchanged with customer service agents.
• Corporate Data: Limited training materials and internal presentations.

Discord has assured users that critical data such as full credit card numbers, CCV codes, or any password and authentication data remain secure and were not involved in the breach. Furthermore, no in-app messages or posts were accessed beyond those communicated with support agents.

“Discord has and will continue to take all appropriate steps in response to this situation. As standard, we will continue to frequently audit our third-party systems to ensure they meet our security and privacy standards,” the company said, adding that it had notified relevant data protection authorities, “proactively engaged with law enforcement to investigate this attack,” and reviewed its threat detection systems.”

Follow MeriStation USA on X (formerly known as Twitter). Your video game and entertainment website for all the news, updates, and breaking news from the world of video games, movies, series, manga, and anime. Previews, reviews, interviews, trailers, gameplay, podcasts and more! Follow us now!