A recent security breach at Discord, the widely used communication platform, has compromised the personal data of approximately 70,000 users. The stolen information includes sensitive government-issued identification photos, which were submitted as part of age verification checks. This incident highlights the growing risks associated with online identity verification processes and the vulnerabilities of third-party service providers.
How the Breach Occurred
The compromise stemmed from a third-party customer support vendor that had access to user data for age-related appeals. Discord requires users to be at least 13 years old (with stricter age limits for certain content) and uses ID verification to enforce these rules. Hackers targeted this vendor, extracting a significant amount of personal information with the intent of extortion.
Discord claims the attackers stole around 70,000 ID photos, but cybersecurity group VX-Underground reports the actual exfiltration may be far larger—over 1.5 terabytes of data, including over 2.1 million images. Discord disputes these figures, calling them part of an extortion attempt. Regardless of the precise number, the breach is substantial.
What Was Stolen?
Besides ID photos, the compromised data included names, usernames, email addresses, and contact details provided to customer support. Limited billing information—the last four digits of credit card numbers—was also taken, though full card details and security codes were not. Critically, passwords and authentication data remained secure.
This type of theft is likely to become more frequent as more platforms implement strict age verification laws, requiring users to submit sensitive documents. Once these IDs are stored in databases, they become attractive targets for hackers.
Discord’s Response and User Impact
Discord has revoked the third-party vendor’s access and claims to be working with law enforcement. The company is contacting affected users via [email protected] and warns against unsolicited phone calls. However, some users report that their age verification requests were ignored for weeks, only to be notified of the breach afterward.
“Discord ignored my ID verification ticket for 2 weeks just to tell me that the same ticket has been involved in a data breach,” one Reddit user wrote.
The incident underscores the trade-off between platform safety and data security. Users who submitted IDs may now face increased risks of identity theft or fraud.
What Users Should Do
At present, users can only monitor their accounts for suspicious activity and enable two-factor authentication if not already active. The breach emphasizes the need for better security practices among third-party vendors and stronger data protection measures by platforms like Discord.
This incident serves as a harsh reminder that even seemingly secure platforms are susceptible to breaches, especially when reliant on external services. The future of age verification online will require a more robust approach to protect user data from exploitation.
