Discord disclosed that a third-party customer support vendor was breached, possibly exposing government ID photos and related personal data for about 70,000 users, though hackers claim the haul could be far larger (1.5 TB, 2.1 million IDs). Discord insists the estimates are exaggerated and refuses to pay extortion demands, while severing ties with the vendor (identified as 5CA) and working with authorities. Alongside the ID images, compromised data may include names, usernames, emails, IP addresses, messages with support, and limited billing details (e.g. last four digits of credit cards). Discord’s core systems, passwords, and full payment data were reportedly unaffected.
Sources: The Verge, The Guardian
Key Takeaways
– The breach stemmed not from Discord itself, but through a compromised third-party support/age verification service (5CA).
– Hackers claim a far larger incident (1.5 TB, millions of files) beyond Discord’s estimate of ~70,000 exposed ID photos.
– Although core credentials, passwords, and full payment data are said to be safe, leaked identity documents and metadata pose serious long-term risks to affected users.
In-Depth
On October 3, 2025, Discord announced a serious security incident: an unauthorized party had compromised one of its third-party customer service vendors, 5CA, used for support and age verification workflows. Discord clarified that its internal systems were not breached, but a subset of users who communicated with support or appealed age blocks may have had sensitive data exposed. In its statement, Discord estimated that about 70,000 users could have had government ID images accessed, along with auxiliary data like names, usernames, emails, IP addresses, support messages, and limited billing info (such as card type or last four digits). The company says no passwords, full credit card numbers, or private Discord messages were compromised.
In parallel, hacker groups behind the breach have claimed that the scale is much larger: posting screenshots of support tickets, dashboards, and asserting that 1.5 terabytes of data—including 2.1 million government ID images—were stolen. Discord strongly disputes those numbers, calling them extortion-driven exaggerations. Discord has since revoked the vendor’s system access, launched forensics investigations, notified affected users via email, and engaged law enforcement and data protection authorities.
This incident underscores a growing weak point in modern tech: third-party vendors. Even when a platform’s own defenses are robust, outsourcing support, age checks, or identity verification to external firms introduces additional risk. In this case, the exposure is especially sensitive—government-issued identity documents (driver’s licenses, passports) cannot be changed like passwords or credit cards. Once leaked, that data can fuel identity theft, synthetic identity fraud, phishing, and long-term risks to the users involved.
Moreover, the incident raises serious questions about mandatory age verification systems, especially in regulatory regimes that require platforms to validate user ages via ID checks (as is the case in the U.K.’s Online Safety Act). Critics warn that forcing platforms to collect and retain identity documents centralizes dangerous amounts of private data in places that become targets for attackers.
For users, the immediate steps are clear: monitor financial accounts, enable identity theft protections, watch for phishing, and be wary of unsolicited contact claiming to relate to the breach. For platforms, the lesson is sharper: vet, audit, and secure vendor practices just as tightly as your own systems. The chain is only as strong as its weakest link—and in this case, the vendor link may have become the most dangerous one.