Discord Confirms Third-Party Vendor Breach Exposed User IDs in Ransom Plot

Discord has confirmed a significant data breach affecting thousands of users after hackers compromised its third-party customer support vendor. The incident exposed sensitive user information including government ID images and triggered ransom demands from the attackers.

Key Takeaways

• 70,000 users had government ID photos exposed
• Breach occurred via third-party vendor 5CA on September 20
• Scattered Lapsus$ Hunters group claimed responsibility
• Discord has terminated the vendor relationship

How the Discord Data Breach Unfolded

The security incident occurred on September 20, 2025, when attackers gained unauthorized access to 5CA, one of Discord’s third-party customer service providers. Importantly, this was not a direct breach of Discord’s own servers but rather a compromise of their external support vendor.

The exposed data includes Discord usernames, real names, email addresses, limited billing details, IP addresses, and messages exchanged with customer service agents. Most concerningly, approximately 70,000 users globally had government ID images exposed—documents that were submitted for age verification purposes.

Ransom Demands and Threat Group Involvement

Reports indicate the attackers attempted to extort money from Discord using the stolen data. Bleeping Computer identified the Scattered Lapsus$ Hunters (SLH) threat group as claiming responsibility for the attack. This same group allegedly claims access to over a billion Salesforce records and is demanding ransom for those as well.

Discord’s Response and Security Measures

Discord disclosed the incident on October 3—13 days after the breach occurred. The company has taken several decisive actions:

• Terminated the compromised vendor’s access
• Launched an internal investigation with digital forensics experts
• Notified all affected users globally
• Alerted data-protection authorities and law enforcement
• Initiated third-party vendor security audits

A Discord representative stated: “We want to address inaccurate claims by those responsible that are circulating online. First, as stated in our blog post, this was not a breach of Discord, but rather a third-party service we use to support our customer service efforts. Second, the numbers being shared are incorrect and part of an attempt to extort a payment from Discord. Of the accounts impacted globally, we have identified approximately 70,000 users that may have had government-ID photos exposed, which our vendor used to review age-related appeals. Third, we will not reward those responsible for their illegal actions. All affected users globally have been contacted, and we continue to work closely with law enforcement, data protection authorities and external security experts. We’ve secured the affected systems and ended work with the compromised vendor. We take our responsibility to protect your personal data seriously and understand the concern this may cause.”

6 Essential Security Steps for Affected Users

1. Enable Two-Factor Authentication

Activate 2FA on your Discord account using authenticator apps or SMS. This adds an extra verification layer that prevents unauthorized access even if your password is compromised.

2. Use Strong, Unique Passwords

Never reuse passwords across different platforms. Consider using a password manager to generate and store complex, unique passwords for each of your accounts.

3. Monitor for Suspicious Activity

Regularly check your Discord login history and email for unusual sign-in attempts. Consider identity protection services that scan the dark web for your credentials.

4. Be Wary of Phishing Attempts

Expect increased phishing emails following this breach. Verify all communications carefully—Discord will only contact you about this incident from noreply@discord.com.

5. Keep Software Updated

Ensure your operating system, apps, and antivirus software are current to protect against known vulnerabilities that attackers might exploit.

6. Consider Data Removal Services

Evaluate personal data removal services to reduce your digital footprint and make it harder for attackers to target you with personalized attacks.

The Bigger Picture: Third-Party Security Risks

This incident highlights the growing cybersecurity challenge of third-party vendor risks. As companies increasingly rely on external service providers, these vendors often become the weakest link in security chains. The Discord breach demonstrates how even robust internal security measures can be undermined by vulnerabilities in partner organizations.

The fundamental question remains: Should companies bear greater accountability for breaches originating from their third-party providers? This incident will likely fuel ongoing discussions about vendor security standards and corporate responsibility in the digital age.