Discord confirms data breach after third-party support vendor compromised

Discord, a leading communication platform for gamers and online communities, has confirmed that a security breach at one of its third-party customer service providers exposed personal data belonging to a limited number of users who had interacted with its Customer Support or Trust and Safety teams.

The incident occurred on September 20, when an unauthorized party gained access to Discord’s customer service ticketing system through compromised credentials belonging to an employee of an external vendor. The attackers obtained support tickets containing user-submitted data such as names, email addresses, Discord usernames, and, in some cases, scanned copies of government-issued identification documents provided during age verification appeals.

Discord said it acted immediately upon discovering the breach by revoking the vendor’s access to its systems, launching an internal investigation, and engaging a leading computer forensics firm to assess the damage. Law enforcement authorities and relevant data protection regulators have been notified, and an official investigation is underway.

In a public statement, the company emphasized that its core infrastructure, databases, and authentication systems were not compromised. “Protecting the privacy and security of our users is a top priority,” Discord stated. “We took immediate steps to address the situation, including terminating access for the affected provider and enhancing monitoring for similar threats.”

The compromised data primarily related to Discord’s customer support operations and may include limited billing information such as payment type, the last four digits of a credit card, and purchase history associated with user accounts. Discord clarified that full credit card numbers and CVV codes were not exposed.

The company is currently notifying affected users via email from its official address, noreply@discord.com, and urged users to remain vigilant against phishing attempts or suspicious communications. Impacted individuals whose government ID images may have been accessed will receive specific notice outlining the nature of the exposure.

Although Discord has not disclosed the total number of affected users, it characterized the breach as impacting “a limited number” of individuals. The threat group calling itself Scattered Lapsus$ Hunters (SLH) has claimed responsibility for the attack, though this attribution has not been confirmed by investigators.

In response to the incident, Discord said it has strengthened its security oversight for external vendors and implemented additional audits of third-party systems to ensure compliance with its privacy and cybersecurity standards. “We understand the concern this may cause and remain committed to transparency and to the continued protection of our community’s data,” the company said.

Discord has advised impacted users to stay alert for potential identity misuse and to contact its support team with any concerns.