X

Discord Security Breach Exposed Government ID Photos of 70,000 Users

A third-party service provider was compromised, and information from people who had communicated with Discord's customer support and trust and safety teams was exposed.

Headshot of Gael Cooper
Headshot of Gael Cooper
Gael Cooper
CNET editor Gael Fashingbauer Cooper, a journalist and pop-culture junkie, is co-author of "Whatever Happened to Pudding Pops? The Lost Toys, Tastes and Trends of the '70s and '80s," as well as "The Totally Sweet '90s." She's been a journalist since 1989, working at Mpls.St.Paul Magazine, Twin Cities Sidewalk, the Minneapolis Star Tribune, and NBC News Digital. She's Gen X in birthdate, word and deed. If Marathon candy bars ever come back, she'll be first in line.
Expertise Breaking news, entertainment, lifestyle, travel, food, shopping and deals, product reviews, money and finance, video games, pets, history, books, technology history, and generational studies Credentials
  • Co-author of two Gen X pop-culture encyclopedia for Penguin Books. Won "Headline Writer of the Year"​ award for 2017, 2014 and 2013 from the American Copy Editors Society. Won first place in headline writing from the 2013 Society for Features Journalism.
Gael Cooper
3 min read
Discord community voice, video, and text chat app

A third-party vendor used by Discord was compromised, and government ID photos were among the items stolen.

 James Martin/CNET

Hackers have stolen user information from Discord, the popular voice, video and text communication platform, through a third-party customer service provider, and government ID photos were among the information stolen. Discord posted about the breach on Oct. 3 and updated the post on Wednesday.

In the statement, Discord said that about 70,000 users may have had their government ID photos exposed. Those ID photos were shared with the third-party vendor to help review age-related appeals. You must be at least 13 to use the Discord site in the US and Canada, and other countries have different age limits. Specific age-restricted content is available only to those who are 18 and over.

"No messages or activities were accessed beyond what users may have discussed with customer support or trust & safety agents," the statement said. "We immediately revoked the customer support provider's access to our ticketing system and continue to investigate this matter."

Don't miss any of our unbiased tech content and lab-based reviews. Add CNET as a preferred Google source.

While Discord specifically called out the number of 70,000 affected users, Yahoo News cites a report from cybersecurity research group VX-Underground stating that "the attackers claim to have exfiltrated 1.5 terabytes of data, including approximately 2,185,151 images tied to age verification appeals."

A representative for Discord reiterated the online statement and said, "the numbers being shared are incorrect and part of an attempt to extort a payment from Discord." They added that the company, "will not reward those responsible for their illegal actions."

Ransom wanted

It's becoming more common for criminals who breach websites to demand payment to keep the information they have stolen private, and Discord said this is happening here.

"An unauthorized party targeted our third-party customer support services to access user data, with a view to extort a financial ransom from Discord," the statement said.

The statement said law enforcement is involved in the case.

What information was taken?

The Discord statement says that stolen information may include names, Discord usernames, email addresses and other contact details that people may have provided to customer support. Messages shared with customer support, including those government ID images, were also stolen. 

Discord says that "limited billing information," including the last four digits of credit card numbers, was stolen, but not full credit card numbers or CCV codes. The site also says that password and authentication data wasn't stolen.

It seems likely that this kind of theft will only grow as more sites must comply with age verification laws in certain US states and other countries that are cracking down on verifying users' age to use a site. Those provided government IDs may be enough for the site to grant people the right to see certain content, but once those IDs are in the site's databases, they can be stolen.

What do I do now?

The Oct. 8 message says Discord is "in the process of contacting impacted users," who should look for messages from noreply@discord.com, and that the site will not use the phone to reach users.

It sounds like there's not a lot Discord users can do at the moment, except to keep an eye out for suspicious messages or calls that could use the stolen information to try to trick or phish users. Enable two-factor authentication if you don't already have it enabled.

User reaction

Some Reddit users say Discord never responded to their age-verification appeals, even though they were then notified that their information was compromised.

"Discord ignored my ID verification ticket for 2 weeks just to tell me that the same ticket has been involved in a data breach," wrote one Reddit user. "I'm honestly happy that I didin't give it to them, got blocked access to half of the servers I'm in but it's better than having my ID leaked I guess."

Another person said something similar happened to them, too.

"Got the same email just now," one person wrote on Reddit. "I appealed my age determination in August. Got a few emails back, but long story short the robot on the other end never accepted my ID. Nearly 2 months later, I'm told my data was leaked on the internet because Discord management doesn't have its priorities in check."