Discord: Attackers accessed about 70,000 user photo IDs
Third-Party Vendor Breach Exposes User Data
Discord recently disclosed that an unauthorized party compromised one of its third-party customer service providers, 5CA, leading to the exposure of approximately 70,000 user government-ID photos. The breach, which occurred on September 20, 2025, targeted a vendor used for age verification and support appeals. Discord was quick to clarify that its own platform was not infiltrated—the attack focused on the third-party provider. Immediately after discovering the incident, Discord revoked the vendor’s access to its ticketing system, launched an internal investigation, and engaged law enforcement. The company is in the process of emailing affected users, with official communications coming only from noreply@discord.com.
What Data Was Accessed?
The exposed data is limited to information handled by the customer service system. This includes names, Discord usernames, email addresses, and other contact details provided to support teams. Additionally, limited billing information—such as payment type, last four digits of credit card numbers, and purchase history—may have been accessed. IP addresses and message content exchanged with customer service agents were also exposed. Most critically, a small number of government-ID images, such as driver’s licenses and passports, were compromised. Discord emphasized that no full credit card numbers, CVV codes, passwords, or user activity beyond support interactions were involved.
Impact on Users and Age Verification
Affected users primarily include those who contacted Discord’s Customer Support or Trust & Safety teams, particularly for age-related appeals. To comply with regulations, Discord requires users to verify their age by uploading government-issued IDs. This process, outsourced to third-party vendors like 5CA, created the vector for the breach. The attacker gained access to ID photos of roughly 70,000 users, which contain sensitive personal information such as full names, dates of birth, and physical addresses. This raises significant privacy concerns, as the leaked data could be used for identity theft or stalking. Discord has specified that affected users will receive an email detailing whether their ID was accessed.
Discord’s Response and Security Measures
Discord acted swiftly by revoking the third-party provider’s access, engaging a leading computer forensics firm, and notifying relevant data protection authorities. The company is working closely with law enforcement to investigate the attack, which involved a ransom demand. Discord has stated it will not pay the ransom, calling it an illegal act. Moving forward, Discord plans to audit its third-party systems more frequently to ensure they meet security and privacy standards. The company also recommends that all users stay vigilant against suspicious messages or communications that could be part of phishing attempts related to the breach.
Official Communication Channels
Discord has warned that it will only contact affected users via email from noreply@discord.com. Users should be cautious of phone calls or emails from other addresses claiming to be about the breach. The company has not disclosed the identity of the compromised vendor, but reports confirm it was 5CA, a UK-based customer service firm. Other third-party providers, such as Zendesk, have stated their systems were not involved.
Community and Expert Reactions
The breach has sparked widespread discussion among Discord’s 200 million users, with many expressing concern over the handling of sensitive ID data. Some online commentators have suggested the breach might be more extensive than disclosed, but Discord refutes these claims, attributing them to extortion attempts. Security experts note that this incident highlights the risks of outsourcing age verification to third parties. The leak of over 100 ID images on a Telegram channel, allegedly from the breach, underscores the real-world dangers of identity exposure. Users who have submitted IDs for DMCA or age verification are particularly vulnerable, as their physical addresses may now be at risk.
What Users Should Do Next
If you receive an email from Discord about this incident, review the details carefully. Change your Discord password and enable two-factor authentication if you haven’t already. Monitor your financial accounts for suspicious activity, especially if you have billing information linked to Discord. Be extra cautious of phishing attempts that may reference the breach. For those whose ID photos were exposed, consider placing a fraud alert on your credit file and report any identity theft to relevant authorities. Discord continues to cooperate with law enforcement, but individual vigilance is key to mitigating potential harm.