Up to 70,000 Discord users may have had their government ID photos compromised following a cyberattack on one of the company’s third-party vendors, Discord confirmed this week.
The platform—home to over 200 million users globally—partnered with the verification agency 5CA to comply with the UK’s Online Safety Act and the EU’s Digital Services Act, both of which require online platforms to verify user ages. Some users were asked to upload photos of government-issued identification, such as a driver’s license or passport, to confirm their age. According to Discord, it was these ID scans, submitted through verification or customer support appeals, that were accessed during the breach.
Initially, Discord described the incident as affecting a “limited number of users.” However, a subsequent update clarified that approximately 70,000 users may have had their government ID photos exposed, which were being used by 5CA to review age-related support cases.
Independent cybersecurity outlet Cyber Security News disputes that figure, claiming the breach may be significantly larger. The publication reported that Discord faced an extortion attempt following a “major” data breach on September 20, during which hackers allegedly maintained access to 5CA’s systems for 58 hours. According to their report, the attackers exfiltrated 1.5 terabytes of sensitive information—potentially including 2.1 million identification photos and details for over 5.5 million users across 8.4 million support tickets.
Data Potentially Exposed
The data reportedly accessed may include:
- Full name, Discord username, email address, and other contact details provided to customer support
- Partial billing information, including purchase type, the last four digits of credit cards, and associated
purchase history - IP addresses
- Message history with Discord’s customer service team
- Limited internal corporate data such as training materials and internal presentations
- A limited number of scanned government ID images
Discord emphasized that no full credit card numbers, security codes, passwords, or direct Discord messages were affected by the breach. Impacted users will receive direct email notifications with further details and guidance.
Discord’s Response
“Discord has and will continue to take all appropriate steps in response to this situation,” the company said in a statement. It confirmed that affected data protection authorities have been notified and that law enforcement is actively investigating. The company also stated it is reviewing its vendor oversight and threat detection measures to prevent similar incidents in the future.
Looking forward, Discord advises all users—especially those contacted by customer support—to be cautious of suspicious messages or emails that could be part of phishing attempts.
“We take our responsibility to protect your personal data seriously and understand the inconvenience and concern this may cause,” the company added.
