Analysis

ID photos of 70,000 users may have been leaked, Discord says Discord, a messaging platform popular with gamers, says official ID photos of around 70,000 users have potentially been leaked after a cyber-attack. The platform, which has more than 200 million users worldwide, says hackers had targeted a firm that helped to verify the ages of its users but the Discord platform itself was not breached. People can provide ID photos to verify their age on Discord - a networking hub for players to chat and share files with others in the gaming community. The leaked data may involve personal information, partial credit card details and messages that were exchanged with Discord's customer service agents, the San-Francisco-based company says. No full credit card details, passwords, or messages and activity beyond conversations with Discord's customer support agents were leaked, the firm said. All impacted users have been contacted and Discord is working with law enforcement to investigate the matter, it added. The platform said it has revoked the customer support provider's access to the system that was targeted in the breach. Discord did not name the third-party company involved. A representative from Zendesk, a customer service software provider for Discord, told the BBC that its systems had not been compromised and that the breach did was not caused by a vulnerability within its platform. Some online commentators have claimed that the data breach was bigger than Discord has revealed. A spokesperson for Discord told the BBC that those claims are inaccurate and "part of an attempt to extort payment". "We will not reward those responsible for their illegal actions," the spokesperson added. Cybercriminals frequently target personal data, which can command a high price on the black market for use in scams. Information like full names and official ID numbers is especially valuable because, unlike credit card details, it typically remains unchanged over time. Discord has previously strengthened its age-verification measures in response to concerns that some servers on the platform were being used to distribute pornographic and extremist material. Discord, a messaging platform with over 200 million users, recently disclosed a cyber-attack that compromised a third-party age verification vendor, potentially exposing official ID photos of approximately 70,000 users. The breach also involved personal information, partial credit card details, and customer service messages, though Discord's core platform was not breached, and full credit card information or passwords were not compromised. This incident highlights significant third-party vendor risk, particularly as official ID data holds high value on the black market due to its immutable nature. Discord has initiated contact with all impacted users, engaged law enforcement, and revoked the compromised vendor's system access, while also firmly refuting claims of a more extensive data breach as extortion attempts. This response aims to manage the incident's fallout and maintain user confidence. The event underscores the persistent challenge for digital platforms in managing supply chain cybersecurity risks and maintaining robust data governance, even when internal systems are secure. Given Discord's prior strengthening of age verification in response to content concerns, this breach emphasizes that comprehensive security strategies must extend across all critical third-party integrations to mitigate reputational and regulatory threats.