Discord has confirmed that an unauthorised party accessed a limited amount of user data after compromising one of its third-party customer service vendors. The breach, which affected almost 70,000 IDs, affected the support services with the intent to extort a ransom from Discord.
The company highlighted that this was “not a breach of Discord, but rather a breach of a third-party service provider, 5CA, that we used to support our customer service efforts.” The incident impacted a select group of users who had recently communicated with Discord’s Customer Support or Trust and Safety teams.
Discord data leak: What was affected
According to a presser from Discord, the compromised data included information shared by users directly with customer service agents, such as:
– Name, Discord username, email, and other contact details.
– Limited billing information, including payment type, the last four digits of a credit card, and purchase history.
– IP addresses.
– Messages exchanged with customer service agents.
Most significantly, Discord revealed that the attacker gained access to a small number of government-ID images. The company has identified approximately 70,000 users globally who may have had their government ID photos exposed, which was used by the vendor to review age-related appeals.
Discord assured users that critical information like full credit card numbers, the CCV codes, passwords, or authentication data was not leaked. Furthermore, Discord said that “no messages or activities were accessed beyond what users may have discussed with Customer Support or Trust and Safety agents.”
What is Discord doing to mitigate the issue
Once the incident was discovered, Discord immediately revoked the compromised vendor’s access to its ticketing system. The company then launched an internal investigation and hired a leading computer forensics firm. Discord also said that it proactively engaged law enforcement to investigate the attack.
In its official statement, Discord stressed its commitment to user security, “At Discord, protecting the privacy and security of our users is a top priority. That’s why it’s important to us that we’re transparent with them about events that impact their personal information.”
Discord is currently in the process of notifying all impacted users via email from `noreply@discord.com` and urged users to remain vigilant against suspicious communications. The company is also reviewing its security controls for all third-party support providers.
