Discord officially identified the vendor as 5CA, a Netherlands-based customer experience and support firm that handled customer service tickets, including age verification appeals.
Key Details of the Breach
- Date of Intrusion: September 20, 2025 (access reportedly lasted up to 58 hours in some reports)
- Affected Users: Approximately 70,000 users worldwide who had interacted with Discord's Customer Support or Trust & Safety teams (specifically those submitting government-issued ID photos for age-related appeals).
- Exposed Data:
- Government ID photos (e.g., passports, driver's licenses, often with selfies).
- Names, usernames, email addresses, IP addresses.
- Limited billing information and support ticket contents.
- Not Exposed: Full credit card details, passwords, or general user messages/activity outside support interactions.
- Cause; Access gained through 5CA's support environment (likely via Zendesk ticketing system). Reports suggest social engineering (e.g., phishing a support agent) rather than a direct system exploit.
- Attackers; Group calling themselves "Scattered Lapsus$ Hunters" (or similar). They exfiltrated ~1.5–1.6 TB of data, attempted extortion, and leaked samples (including redacted user data and ID photos) when Discord refused to pay.
Discord emphasized: "This was not a breach of Discord [systems], but rather a breach of a third-party service provider, 5CA."
Dispute with 5CA
5CA issued statements denying direct responsibility:
- No hack of their systems.
- They did not handle or store government-issued IDs for Discord.
- Incident likely due to "human error" by a single employee (e.g., falling for phishing, granting unauthorized access to Discord's ticketing system).
This created conflicting narratives, with some reports highlighting risks in third-party vendor chains.
Response and Aftermath
- Discord revoked 5CA's access, hired forensics experts, notified affected users via email, and cooperated with law enforcement.
- Terminated relationship with 5CA.
- No evidence of widespread data dumping on dark web forums (as of late 2025 searches), but samples were shared publicly by attackers.
- The breach highlighted risks of mandatory age verification (driven by laws like UK's Online Safety Act and EU regulations), where sensitive IDs are collected and stored by vendors.
Current Status (as of January 2026)
The incident occurred in fall 2025 and appears resolved with no major new developments. No widespread identity theft directly tied to this breach has been reported en masse. If you submitted an ID for verification and interacted with support recently, check your email for Discord notifications and monitor for identity fraud (e.g., via credit freezes or monitoring services).
This event underscores third-party supply chain risks—Discord's core systems were secure, but vendor access created vulnerability. For privacy concerns, enable 2FA, limit shared data, and be cautious with verification processes.
