Discord has confirmed that attackers gained access to the personal data of some users after breaching one of its third-party contractors responsible for customer support services.
The incident affected individuals who had previously contacted Discord’s support or Trust & Safety teams. According to the company, the motive behind the breach was extortion — the attackers sought payment in exchange for withholding the stolen data.
Upon discovering the intrusion, Discord immediately revoked the contractor’s access to its ticketing system and notified law enforcement authorities. However, the attackers had already exfiltrated a set of sensitive user information, including a limited number of ID images — such as passports and driver’s licenses — submitted by users appealing age restrictions.
According to the official statement, the stolen data may include:
- Names, usernames, and email addresses provided during support interactions;
- Limited payment details — card type, last four digits, and purchase history;
- IP addresses;
- Correspondence with support staff;
- Certain internal materials, including training presentations.
The company emphasized that passwords, full credit card numbers, and private chat content on the platform were not compromised.
It remains unclear how many users were affected or which third-party company was breached. However, a group calling itself Scattered Lapsus$ Hunters (SLH) claimed responsibility for the attack, alleging it gained access through Zendesk, the system Discord uses to manage customer support tickets.
Discord has notified data protection regulators and continues to cooperate with law enforcement. The company stated that it has reviewed and strengthened its threat monitoring and third-party security measures.
Users are advised to remain vigilant toward suspicious emails and messages. All affected individuals will receive a notification via email from noreply@discord.com, with the company stressing that it will not contact anyone by phone.
It is worth noting that earlier, in August, unidentified actors claimed to have obtained access to billions of Discord messages, voice sessions, and user files through large-scale data scraping.