Discord data breach: up to 70,000 users affected after third-party vendor compromise
Discord has disclosed new details about a recent security incident, warning that up to 70,000 users may have been impacted after one of its third-party customer service providers was compromised. The company says the breach affected people who interacted with its Customer Support or Trust & Safety teams, and only data shared in those support tickets was exposed.
The incident comes as more online platforms introduce age verification measures that require users to submit government IDs or selfies under certain circumstances, such as when they are reported for being underage. Discord’s update notes that a small number of government ID images were among the exposed files, underscoring growing concerns about the risks tied to ID collection.
What happened
– An unauthorized party gained access to an external customer service vendor used by Discord.
– The attacker accessed a limited set of information belonging to users who had contacted Customer Support and/or Trust & Safety.
– Discord has cut off the vendor’s access to its systems and is working with law enforcement while the investigation continues.
What data may have been exposed
– Name, Discord username, email address, and other contact details
– Limited billing information, such as payment type, the last four digits of a credit card, and purchase history
– IP addresses
– Messages exchanged with customer service agents
– Limited corporate data, including training materials and internal presentations
– A small number of government ID images
Who is being notified
– Discord is emailing impacted users from noreply@discord.com.
– The company says it will not call users by phone about this incident, a step intended to reduce the risk of phishing and social engineering attempts.
Why this matters
As more companies comply with local regulations by verifying user ages or identities, sensitive documents like driver’s licenses are increasingly stored with third parties. While tools such as VPNs can obscure IP addresses, many sites already restrict traffic from known VPN endpoints, and a VPN does not protect data you voluntarily upload during verification or support interactions.
What you should do now
– Watch for phishing: Be cautious of emails, DMs, or texts claiming to be from Discord. Check sender addresses carefully and avoid clicking suspicious links.
– Verify official notices: If you receive an email about this incident, confirm it came from noreply@discord.com before taking action.
– Update your security: Change your Discord password, enable two-factor authentication, and use a unique password managed by a reputable password manager.
– Review your account activity: Check for unfamiliar logins or changes to your account and revoke access for any unknown connected apps.
– Monitor financial statements: Keep an eye on bank and card activity, especially if you’ve made purchases on Discord.
– Consider credit protections: If you believe your ID was exposed, explore credit monitoring, fraud alerts, or a credit freeze with major bureaus in your region.
– Minimize future exposure: Only share ID or sensitive documents when absolutely necessary and keep records of where you’ve submitted them.
The bottom line
Discord’s breach stems from a third-party vendor compromise that may have affected up to 70,000 users, primarily those who contacted support. Exposed data ranges from contact details and limited billing information to support messages and, for a smaller subset, government ID images. Stay alert for phishing, secure your account, and monitor your financial and identity information while Discord completes its investigation and notification process.
