Discord has confirmed that approximately 70,000 users had their government ID photos exposed in a data breach at a third-party customer service vendor. The gaming platform is pushing back against extortion attempts claiming much higher numbers, while affected users have been notified and the compromised vendor relationship has been terminated.
Discord is dealing with the fallout from a significant data breach that exposed government-issued ID photos from roughly 70,000 users worldwide. The gaming platform confirmed the scope Tuesday after hackers began circulating wildly inflated claims as part of what appears to be an extortion campaign.
The breach didn't hit Discord directly, but rather a third-party customer service vendor the company used to handle user appeals. Specifically, hackers compromised Discord's Zendesk instance, where customer service teams stored sensitive documents including government IDs used for age verification.
"This was not a breach of Discord, but rather a third-party service we use to support our customer service efforts," Discord spokesperson Nu Wexler told The Verge. The statement came after security researchers at vx-underground posted on social media that hackers were claiming to possess "1.5TB of age verification related photos" totaling over 2 million images.
Discord is calling those numbers grossly exaggerated. The company says it has identified exactly 70,000 users whose government ID photos may have been accessed during the breach. These IDs were submitted by users appealing age-related account restrictions - a process Discord uses to verify that users meet minimum age requirements in their countries.
The timing couldn't be worse for Discord, which has been under increased scrutiny over child safety issues. The platform requires users to be at least 13 years old, but enforcement has historically relied on self-reported birthdates. When accounts get flagged for potential age violations, users can submit government-issued photo IDs to prove they meet age requirements.
Beyond the ID photos, Discord's initial breach disclosure last week revealed that other personal information was also compromised. Names, usernames, email addresses, the last four digits of payment cards, and IP addresses were all potentially accessed by the attackers.
The company has moved quickly to contain the damage. All 70,000 affected users have been personally contacted about the exposure, Discord says. The relationship with the compromised vendor has been terminated, and security measures have been implemented to prevent similar incidents.
