Discord Confirms Support Vendor Hack Exposing User Data And Government IDs

How the Discord Data Breach Unfolded

In early October 2025, Discord confirmed a significant security incident involving a third-party customer service vendor, affecting users who had contacted its Customer Support or Trust & Safety teams. The breach, which occurred on September 20, 2025, was not a direct intrusion into Discord's internal systems but rather a compromise of a vendor's support ticket environment. The attackers, identifying themselves as the Scattered Lapsus$ Hunters (SLH), exfiltrated approximately 1.6 terabytes of data, including sensitive user information and government ID images used for age verification appeals.

Vendor 5CA Named as the Breach Vector

Discord publicly named 5CA, a Netherlands-based customer experience firm, as the third-party provider whose environment was breached. According to Discord's updated statement on October 9, 2025, the unauthorized party accessed 5CA's support ticket system, gaining entry to internal dashboards, payment details, and government ID photos. However, 5CA quickly issued a denial, claiming its systems were not compromised and that it does not handle government-issued IDs for Discord. This contradiction has stirred confusion, with 5CA suggesting the incident may stem from human error rather than a direct system breach.

What Data Was Exposed?

The stolen data includes names, Discord usernames, email addresses, IP addresses, and customer support interaction transcripts. More critically, Discord identified approximately 70,000 users whose government ID images (such as driver's licenses and passports) may have been accessed. Limited billing information—payment type, last four digits of credit cards, and purchase history—was also leaked. Discord assured that full credit card numbers, passwords, and private messages outside support channels remained secure.

The Hacker Group and Their Demands

The threat actor known as Scattered Lapsus$ Hunters (SLH) claimed responsibility, reportedly a coalition combining tactics from Scattered Spider, Lapsus$, and ShinyHunters—groups infamous for targeting third-party vendors. SLH attempted to extort Discord for a ransom, initially claiming they held over 2 million government ID photos, though Discord's internal investigation fixed the figure at around 70,000. Discord refused to pay the ransom, and law enforcement was engaged to track the perpetrators.

Immediate Actions Taken by Discord

Upon discovery, Discord revoked the vendor's access to its ticketing system and terminated the partnership. The company launched an internal investigation with a leading computer forensics firm and notified relevant data protection authorities. Affected users are being contacted via email from noreply@discord.com, and Discord stressed it will never call users about security issues. The company also reiterated that its core infrastructure remained uncompromised.

Lessons for Users and the Industry

This incident underscores the risks of supply chain attacks, where attackers exploit less secure third-party partners. For Discord users, the breach highlights the importance of securing accounts with strong passwords and enabling two-factor authentication. Users should also be cautious about sharing sensitive information like government IDs, even for legitimate appeals. The contradiction between Discord and 5CA's statements points to the need for more transparent vendor risk management and robust incident response protocols across the industry.