Discord reveals more on data breach - says 70,000 government ID photos may have been leaked

News
By published

Users should be on their guard, among confusion concerning figures

Discord Clyde
(Image credit: Discord)
  • Discord data breach tied to third-party support provider - likely Zendesk, not Discord itself
  • Attackers claim 5.5 million user records and 2.1 million ID photos stolen during 58-hour access window
  • Discord disputes figures, confirms 70,000 ID exposures, and refuses to pay extortion demands

Discord has revealed more details about the recent third-party data breach incident, including an estimate of the likely number of ID card photos stolen in the attack.

The company had warned its users about a potential data breach, saying a third-party customer support service provider was breached. “The unauthorized party then gained access to information from a limited number of users who had contacted Discord through our Customer Support and/or Trust & Safety teams,” Discord said at the time.

The identity of the attackers was not disclosed, but Discord did say that the crooks took personally identifiable data, contact information, some corporate data, and a “small number” of government-issued ID cards.

How many ID cards?

Now, BleepingComputer has claimed the company that was likely compromised was Zendesk.

It also managed to get in touch with the attackers, who claimed to have stolen data of 5.5 million unique users, including 2.1 million photos of government IDs. The total size of the archive was 1.6TB, downloaded during the 58 hours of unabated access.

The attackers told the publication they accessed the network through a compromised account belonging to a support agent that was employed through an outsourced business process outsourcing provider that Discord used.

Discord does not agree on the severity of the breach, though.

"First, as stated in our blog post, this was not a breach of Discord, but rather a third-party service we use to support our customer service efforts," the company told the publication in a statement.

"Second, the numbers being shared are incorrect and part of an attempt to extort a payment from Discord. Of the accounts impacted globally, we have identified approximately 70,000 users that may have had government-ID photos exposed, which our vendor used to review age-related appeals."

"Third, we will not reward those responsible for their illegal actions." The attackers allegedly asked for $5 million - and later reduced the asking price to $3.5 million.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.