San Francisco: Discord, one of the world’s largest communication platforms, confirmed a security incident involving a third-party customer service provider, leading to the exposure of sensitive data belonging to users who recently engaged with its Customer Support or Trust & Safety teams.
According to Discord’s official disclosure, attackers compromised the systems of an external vendor believed to be Zendesk gaining unauthorized access to the support agent’s ticket queue. The company clarified that its primary infrastructure, servers, and databases were not directly breached, but the attack exploited a vendor integration point, a common weak link in modern digital ecosystems.
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
Investigators determined that the intruder’s primary motive was financial extortion, not espionage. Discord said it had “immediately revoked the vendor’s system access” and is cooperating with law enforcement and data protection authorities across multiple jurisdictions.
What Information Was Stolen
The incident has affected only those users who had active or recent interactions with Discord’s support channels. However, the scope of data accessed raises serious concerns about identity theft and social engineering risks.
The stolen data includes:
- Names, Discord usernames, and email addresses
- Support ticket content — the actual messages exchanged with customer service agents
- Partial billing information, including payment methods and the last four digits of credit cards
- A limited number of government-issued IDs (driver’s licenses, passports, or national IDs) submitted for age verification appeals
The exposure of ID documents makes this breach especially severe, as such data can facilitate synthetic identity fraud, a tactic increasingly used by cybercriminals to open fraudulent accounts or evade Know-Your-Customer (KYC) controls.
Discord confirmed that impacted users have been notified via official emails from noreply@discord.com. The surge of notifications has, however, sparked confusion and phishing fears across Reddit and Discord forums, where users questioned whether the alerts themselves were genuine highlighting a familiar pattern where cybercriminals exploit breach-related anxiety to launch follow-up phishing attacks.
Who’s Behind the Attack: ‘Scattered LAPSUS$ Hunters’ Claims Responsibility
While Discord has not publicly named the perpetrators, a coalition calling itself “Scattered LAPSUS$ Hunters” has claimed responsibility on Telegram. The group — a hybrid of the infamous Scattered Spider, LAPSUS$, and ShinyHunters collectives posted screenshots allegedly showing access to Discord’s internal dashboards, data privacy tools, and admin consoles.
The hackers mocked the company’s response measures, including the temporary disabling of Okta and Kolide logins, calling them “superficial.” They further taunted Discord by leaking details like an alleged internal network tag “SLHM” and threatening to publish more data on their Data Leak Site (DLS) a dark-web platform used for extortion and public shaming of victimized firms.
According to cybersecurity portal Hackread.com, DLS lists dozens of global organizations and serves as a dual-purpose site: part leak archive, part negotiation arena. By showcasing “proof-of-breach” samples, attackers apply pressure on victims to pay ransoms or negotiate silence, escalating both reputational and regulatory risks.
Discord’s Response and a Pattern of Recurring Threats
In its statement, Discord said it has engaged an external forensic firm and implemented additional controls to isolate third-party systems. The company assured users that passwords, full credit-card numbers, and private messages within Discord servers were not compromised. Still, the presence of support transcripts and identification documents in the exposed dataset leaves open questions about data minimization practices and the security vetting of vendors.
This breach adds to Discord’s troubling cybersecurity track record in 2025. In July, threat actors impersonated Discord employees to distribute Epsilon Red ransomware, and in August, researchers documented malware strains exploiting Discord’s Content Delivery Network (CDN) to host malicious payloads. The current episode, though technically indirect, highlights the fragile trust chain that connects major digital platforms with their outsourced service providers.
Cybersecurity experts argue that while third-party support vendors reduce costs, they also expand the attack surface. Each integration point — from ticketing dashboards to API bridges can become an unmonitored doorway into otherwise well-protected environments.
