Analysis

Discord now says 70,000 government IDs may have leaked in provider hack A rep said some claims made about the hack were part of the extortion attempt by the perpetrators. Over the weekend, Discord revealed that its users may have had their data compromised when a third-party service provider was hacked. At the time, the platform said that a "small number" of government IDs may have been illicitly accessed. Today, however, claims circulated that the attackers had obtained more than 2 million photos that had been used for age-verification purposes. In response, the company said that about 70,000 users "may have had government-ID photos exposed." Other user data that could have been compromised includes the users’ "name, Discord username, email and other contact details if provided to Discord customer support," as well as a limited amount of billing information. Engadget reached out to Discord for comment, but did not receive a response. However, Discord spokesperson Nu Wexler shared a statement about the issue with The Verge and said that some of the figures being shared were "inaccurate" and came from the attackers. "The numbers being shared are incorrect and part of an attempt to extort a payment from Discord," Wexler said. "We will not reward those responsible for their illegal actions. All affected users globally have been contacted and we continue to work closely with law enforcement, data protection authorities, and external security experts. We’ve secured the affected systems and ended work with the compromised vendor." Discord has confirmed a significant data breach involving approximately 70,000 user government ID photos, alongside other personal data such as names, usernames, emails, and limited billing information. This compromise stemmed from a hack of a third-party service provider, not Discord's internal systems directly. The company explicitly refuted attacker claims of a larger 2 million photo breach, labeling these as an extortion attempt which it refuses to pay. In response, Discord has taken immediate steps, including notifying all affected users globally, securing its compromised systems, and terminating its relationship with the implicated third-party vendor. Furthermore, the platform is actively collaborating with law enforcement and data protection authorities to address the incident. This proactive stance aims to mitigate the aftermath, though reputational damage remains a key concern. The incident highlights critical supply chain cybersecurity risks prevalent across the tech industry, particularly for platforms that outsource sensitive operations like age verification. The exposure of government IDs specifically intensifies regulatory scrutiny and potential legal ramifications under data privacy frameworks. Discord's decision not to engage with extortionists, while commendable, could lead to prolonged public relations challenges for the company.