Discord Data Breach Exposes 70,000 Govt IDs via Third-Party Hack

In a security crisis that highlights the hidden vulnerabilities of the platforms we use daily, Discord has confirmed a major data breach originating not from its own servers but from a trusted third-party partner. The incident has exposed the highly sensitive government IDs of approximately 70,000 users, triggering a firestorm of privacy concerns and intense scrutiny from users and data protection authorities.

The breach has ignited a firestorm of privacy concerns. Here is a deep dive into how the hack happened, the exact data that was compromised, and the significant fallout for both Discord and its global user base. 

How Did the Hack Actually Happen?

The source of this crisis was a classic "supply chain attack". The breach occurred at 5CA, a third-party vendor that Discord contracts to handle customer service tickets, particularly the sensitive process of age-related appeals. 

The attackers, a cybercrime syndicate known as the Scattered Lapsu$ Hunters (SLH), used their signature tactic: social engineering. By placing a deceptive phone call to a support agent at 5CA, they tricked the employee into handing over their login credentials.

With these digital keys in hand, the hackers gained unfettered access to Discord's customer support system. For 58 critical hours between September 22 and September 24, 2025, they were free to browse and syphon sensitive user data from support tickets before their intrusion was finally detected and their access severed. 

What Data Was Stolen? The Official Tally

Following the breach, the Scattered Lapsu$ Hunters took to Telegram, boasting of a massive 1.5-terabyte data haul that included over two million ID photos. The group's apparent strategy was to inflate the numbers, create mass panic, and pressure Discord into meeting their ransom demands. 

However, Discord has publicly refuted these claims, labelling them part of a blatant extortion attempt. According to the company's official investigation, the compromised data, while serious, was more limited:

Government-Issued IDs: The most sensitive data reportedly compromised. Approximately 70,000 users who submitted a photo of their ID for an age-related appeal may have had their images exposed. This includes passports and driver's licences.

Personal and Account Information: Other data linked to customer support interactions was also reportedly breached, including users' names, Discord usernames, and email addresses.

Limited Billing and Technical Data: The last four digits of some users' credit cards and their IP addresses were also potentially exposed.

Support Communications: Transcripts of conversations between users and the customer support team were compromised.

Crucially, Discord has been firm that the breach did not include account passwords, full credit card numbers, or any private messages and server chats outside of the customer support system.

Why Did Discord Have Your ID in the First Place?

Many users were understandably shocked to learn that Discord was storing their government IDs. This all comes down to the platform's age verification process, a system put in place to comply with new internet safety laws like the UK's Online Safety Act.

While these laws mandate that platforms take steps to protect minors, it's important to note that the long-term storage of ID documents is not mandated or recommended by these authorities. 

Discord stated that it uses a service called Veratad for ID validation and that "for ID verification, the scan of your ID is deleted upon verification."

This policy is now under intense scrutiny, as the breach proves that a third-party customer service provider had access to and was storing these very ID documents. The fact that only users who interacted with Discord’s Customer Support or Trust & Safety teams were impacted confirms the breach's origin with the vendor. 

Essentially, a process designed to keep users safe created a goldmine of sensitive data. This well-intentioned process created a centralized "honeypot" of highly sensitive data, proving to be an irresistible target for cybercriminals.

What Is Discord Doing About It?

Armed with the stolen data, the hackers demanded a $3.5 million ransom. Discord's response was unwavering. In a statement to The Verge, spokesperson Nu Wexler said, "We will not reward those responsible for their illegal actions."

Instead of negotiating, Discord is cooperating fully with law enforcement and data protection authorities. The company has terminated its contract with 5CA, immediately secured the affected support systems, and has been directly contacting all 70,000 affected users via email with guidance on what to do next.

For those impacted, the company is advising them to be vigilant for phishing scams, consider placing a fraud alert with credit agencies, and enable Two-Factor Authentication (2FA) on their account as a general best practice.

The Bigger Picture: What This Means for Online Privacy

The Discord breach is a stark reminder that in our interconnected world, an organization's security is only as strong as its weakest link. It powerfully illustrates the growing risks of supply chain attacks and raises critical questions about the privacy implications of mandatory age verification.

As more platforms are forced to collect sensitive identity documents, they will inevitably create more high-value targets for threat actors. For the tech industry, this is a critical lesson on the importance of rigorously vetting partners and minimizing data collection. 

For users, it serves as a powerful reminder to remain cautious and conscious of the information we share online, even with the platforms we use and trust every day.