Discord data breach exposes personal information of customer support users

Full credit card numbers, CCV codes, and account passwords not compromised, company says

Discord has confirmed a data breach involving a third-party service provider, exposing sensitive personal information belonging to a number of users who contacted the platform's Customer Support or Trust & Safety teams.

The breach included names, email addresses, partial payment information, and in some cases, scanned government-issued photo IDs.

In a statement, Discord revealed that the incident stemmed from a security compromise at an external customer service vendors.

"Recently, we discovered an incident where an unauthorized party compromised one of Discord's third-party customer service providers," the company stated.

"The unauthorized party then gained access to information from a limited number of users who had contacted Discord through our Customer Support and/or Trust & Safety teams."

Importantly, Discord clarified that its core systems were not compromised. The breach was confined to systems operated by the affected support vendor. According to the company, the attack appears to have been motivated by financial extortion.

As soon as the breach was discovered, Discord revoked the vendor's access to its systems to prevent any further unauthorised activity. An internal investigation was launched, and the company has since retained a leading computer forensics firm to assist in the matter.

Discord is also cooperating with law enforcement and has notified relevant data protection authorities.

What data was exposed?

The exposed information includes:

  1. Full names and Discord usernames
  2. Email addresses and other contact details
  3. User IP addresses
  4. Message content exchanged with Discord support staff
  5. Limited billing information such as purchase history, payment type, and the last four digits of credit card numbers
  6. Scanned government-issued IDs (e.g., passports, driver's licenses) submitted for age verification - impacting a small number of users

Discord said that full credit card numbers, CCV codes, account passwords, and private messages on the Discord platform were not compromised during the breach.

The company has started notifying all impacted users directly via email. Those whose IDs may have been accessed will receive explicit mention of that in the notification. Discord also warned users to remain alert to phishing attempts, especially those pretending to be from Discord.

The company said it will not contact any users by phone, urging recipients of suspicious communications to report them immediately. As part of its response, Discord has initiated a review of the security protocols used by all its third-party vendors.

"Discord has and will continue to take all appropriate steps in response to this situation. As standard, we will continue to frequently audit our third-party systems to ensure they meet our security and privacy standards," the company noted.

Discord reaffirmed its dedication to user privacy and platform security.

"We take our responsibility to protect your personal data seriously and understand the inconvenience and concern this may cause," the company said.

This latest attack is simply the latest episode in ransomware groups targeting high-profile victims via third-party compromise.

In August, Google and Cisco disclosed separate data breaches stemming from voice phishing (vishing) attacks that compromised customer information stored in cloud-based CRM systems.

The same month, human resources software giant Workday also disclosed a data breach following a social engineering attack that compromised a third-party customer relationship management (CRM) platform.

Last month, European airports faced prolonged check-in glitch after a ransomware attack targeting Collins Aerospace.