Hack of age verification firm may have exposed 70,000 Discord users' ID photos

Breach Details: What Happened and When

On October 3, 2025, Discord disclosed that an unauthorized entity gained access to one of its third-party customer service providers, 5CA. The breach, which began around September 20, compromised the account of a support agent, giving hackers access to Discord user data for approximately 58 hours. The attacker(s) allegedly stole at least 70,000 images of government-issued IDs—such as passports or driver’s licenses—submitted by users for age verification. The perpetrator is also reportedly attempting to extort a ransom from the affected company.

What Data Was Exposed?

Beyond the ID photos, the breach may have exposed users' names, email addresses, contact information, IP addresses, and interactions with Discord's customer support. Fortunately, complete credit card information or passwords were not accessed. However, the scope remains disputed: the cybercrime group claiming responsibility, Scattered LAPSUS$ Hunters, asserts they stole 1.5 terabytes of data from 5.5 million users, including over 2.1 million ID photos. Discord, however, maintains that the figure is closer to 70,000 affected users globally.

How Age Verification Works on Discord

Photo ID Method for Appeals

Discord requires age verification when a user is locked out due to being underage or when accessing age-restricted servers. Users can submit a photo of themselves holding both a government-issued ID (showing date of birth) and a paper with their Discord username. This single photo is sent to Discord's Trust & Safety team via a support form. The information provided is used solely for age verification and not for any other purpose.

Automatic Age Check via k-ID

In select regions, Discord partners with k-ID for an automatic age check. Users take a video selfie, which is processed on their device and immediately deleted after age estimation. Discord claims neither they nor k-ID store facial scans. If the automatic check fails, users must resort to the photo ID method.

Why This Breach Happened: Data Retention Issues

According to sources, the breach occurred because Discord did not delete user ID photos promptly after verification. Unlike k-ID's system—which processes selfies on-device and deletes them immediately—Discord's support system retained ID images for months. This retention window allowed hackers to access and exfiltrate the data. The hacker reportedly gained access to Discord's support portal, not the k-ID system, highlighting a critical vulnerability in data handling practices.

Implications for User Privacy and Future Verification

This incident underscores the risks inherent in centralized storage of sensitive biometric data. As Discord expands its age verification globally—driven by regulations like the UK's age verification law—the breach serves as a cautionary tale. While automatic age checks using on-device processing reduce risk, the photo ID appeal method remains vulnerable. Users must trust that their data will be promptly deleted, a trust that has been broken. Moving forward, Discord and other platforms must adopt stricter data minimization and retention policies to prevent similar exposures.

What Discord Users Should Do Now

Discord is contacting impacted users via email from noreply@discord.com. If you receive such an email, verify its authenticity and follow instructions. Avoid submitting duplicate tickets or sharing your ID photo outside official channels. For those concerned about future breaches, consider using disposable or limited-purpose IDs, and monitor your accounts for suspicious activity. The incident highlights the need for stronger legislation around data retention and third-party vendor security.