Analysis

Discord has identified approximately 70,000 users that may have had their government ID photos exposed as part of a customer service data breach announced last week, spokesperson Nu Wexler tells The Verge. A tweet by vx-underground said that the company was being extorted over a breach of its Zendesk instance by a group claiming to have “1.5TB of age verification related photos. 2,185,151 photos.” Discord says 70,000 users may have had their government IDs leaked in breach Discord claims that the attackers are circulating inaccurate information about the breach of a customer service provider as part of an extortion attempt. Discord claims that the attackers are circulating inaccurate information about the breach of a customer service provider as part of an extortion attempt. When we asked about the tweet, Wexler shared this statement: Following last week’s announcement about a security incident involving a third-party customer service provider, we want to address inaccurate claims by those responsible that are circulating online. First, as stated in our blog post, this was not a breach of Discord, but rather a third-party service we use to support our customer service efforts. Second, the numbers being shared are incorrect and part of an attempt to extort a payment from Discord. Of the accounts impacted globally, we have identified approximately 70,000 users that may have had government-ID photos exposed, which our vendor used to review age-related appeals. Third, we will not reward those responsible for their illegal actions. All affected users globally have been contacted and we continue to work closely with law enforcement, data protection authorities, and external security experts. We’ve secured the affected systems and ended work with the compromised vendor. We take our responsibility to protect your personal data seriously and understand the concern this may cause. In its announcement last week, Discord said that information like names, usernames, emails, the last four digits of credit cards, and IP addresses also may have been impacted by the breach. Discord has confirmed a data breach impacting approximately 70,000 users, with government identification photos potentially exposed through a third-party customer service provider rather than its core systems. This incident also compromised other personal identifiable information including names, usernames, emails, the last four digits of credit cards, and IP addresses. The company has explicitly refuted claims by attackers of a significantly larger data compromise (1.5TB and 2.1 million photos) as an extortion attempt, asserting it will not yield to such demands. Discord's response has included notifying all affected global users, collaborating with law enforcement and data protection authorities, securing compromised systems, and terminating its relationship with the vulnerable vendor. While the overall sentiment is 'moderately negative' with a 'defensive' tone, the company's swift actions and transparent refutation of exaggerated claims aim to mitigate the reputational and operational risks associated with this third-party security lapse, which highlights the critical importance of vendor risk management.