Discord admits compromise of 70,000 Online Safety Act proof-of-age IDs

Reports have suggested that more than two million were compromised via Zendesk

The Discord hack compromised more than 70,000 proof-of-age IDs, required by users to prove their age under the Online Safety Act. That’s according to the company itself, refuting claims that more than two million users have been affected.

These IDs included drivers’ licences, passports and other sensitive forms of photo identification that could be cloned and used for identify theft.

When news of the breach emerged earlier this month, the company had said that an “unauthorised party” had only gained access to data belonging to a “limited number of users”.

Now, the company has released more details, coming clean about how many accounts were affected, and indicating that the source of the compromise was Zendesk, the third-party customer service software it uses.

However, the attackers insist that they have the data of more than 5.5 million unique users, including 2.1 million photos featuring sensitive identification documents. They told BleepingComputing that they were able to download a trove of 1.6TB of data during the 58 hours of unfettered access.

Discord continues to reject these claims, which it adds is part of a campaign by the attackers to extort millions of dollars in ransom for the data from Discord.

“First, as stated in our blog post, this was not a breach of Discord, but rather a third-party service we use to support our customer service efforts,” the company told BleepingComputer in a statement.

“Second, the numbers being shared are incorrect and part of an attempt to extort a payment from Discord. Of the accounts impacted globally, we have identified approximately 70,000 users that may have had government-ID photos exposed, which our vendor used to review age-related appeals.

Discord added that it refuses to pay up. The attackers reportedly asked for $5 million, but later reduced the asking price to $3.5 million.

When the Online Safety Act (OSA) came into force in March 2025, online platforms were required to protect users from any suspect illegal content or risk substantial fines. Many smaller operators closed their forums accordingly, claiming that it would be too expensive to provide the level of policing required to endure that they do not fall foul of the Act.

From July, users were required to provide identification to access sites potentially offering content the Act deemed not suitable for children.

Ofcom, the quango responsible for enforcing the OSA, has also sought to compel compliance with the Act globally, including the US, resulting in the threat of legal action.

“The First Amendment protects an American’s right to talk to anyone, anywhere, anytime, about anything they choose – without interference from anybody. Not Congress, not a senator, not the governor, not even the president – and certainly not a British unelected bureaucrat,” Preston Byrne, the lawyer behind the action, explained to GB News.

Ofcom is also investigating 4Chan and other websites that it claims are high-risk platforms, even though they do not have operations in the UK.

While the Act was passed under the previous government, it has been vigorously supported by the new government, elected in July last year.