Discord just confirmed that roughly 70,000 users had their government ID photos exposed through a breach at its third-party customer service provider. The gaming platform is pushing back against extortion attempts while law enforcement investigates the incident that compromised sensitive identity verification documents used for age-related appeals.
Discord is dealing with fallout from a significant data breach that exposed government identification documents for approximately 70,000 users - and the company isn't backing down from extortion demands. The gaming platform confirmed to The Verge that hackers gained access to sensitive ID photos through a compromised third-party customer service system, sparking a high-stakes standoff between the platform and cybercriminals.
The breach centers on Discord's Zendesk instance, which the company uses to handle customer support operations. Security researchers at vx-underground first flagged the incident on social media, revealing that hackers were attempting to extort Discord with claims of possessing "1.5TB of age verification related photos" totaling over 2.18 million images. But Discord spokesperson Nu Wexler pushed back hard against these inflated numbers.
"The numbers being shared are incorrect and part of an attempt to extort a payment from Discord," Wexler told The Verge in a statement. "We will not reward those responsible for their illegal actions." The company's firm stance reflects a growing trend among tech firms to resist ransomware and extortion attempts, even when facing potential reputational damage.
The exposed government IDs were specifically used for age-related appeals, part of Discord's system for verifying users who claim they're old enough to use the platform despite being flagged by age verification systems. This creates a particularly sensitive data exposure, as government-issued identification documents contain the exact personal information that identity thieves prize most.
The timing couldn't be worse for Discord, which has been working to clean up its reputation around child safety and age verification. The platform has faced ongoing scrutiny from lawmakers and parents about underage users accessing inappropriate content. Having the very system designed to protect minors become a vector for data exposure adds insult to injury.
Beyond the ID photos, last week's initial disclosure revealed that hackers also accessed a broader range of user data including full names, usernames, email addresses, the last four digits of credit cards, and IP addresses. This creates a comprehensive profile that could enable sophisticated social engineering attacks against affected users.
