Third-party hack leaks sensitive verification data, fueling concerns over age checks as Discord vows not to pay ransom for attackers’ inflated claims.
On October 8, 2025, Discord announced that approximately 70,000 users worldwide may have had their government-issued ID photos compromised in a breach targeting a third-party customer service provider, identified as Zendesk by sources such as BleepingComputer .
The company swiftly debunked hackers’ boasts of a 1.5TB haul affecting 5.5 million accounts, labeling them as exaggerated extortion tactics.
Discord’s response, detailed in its October 3 blog post , underscores a commitment to transparency and security amid rising scrutiny of age-verification systems.
The breach hit Discord’s Trust & Safety operations, where users appealing bans or age restrictions submitted IDs like passports or driver’s licenses.
Compromised data also includes names, emails, usernames, IP addresses, and partial credit card details (last four digits).
Unlike the hackers’ claims, no evidence suggests mass ticket dumps; Discord insists the impact is limited to a fraction of its 200 million monthly active users.
Affected individuals received alerts via [email protected] , and the company has severed ties with the vendor, bolstered system defenses, and engaged law enforcement alongside regulators like the UK ICO .
This incident amplifies alarm over mandatory ID uploads, a growing norm under laws like Australia’s upcoming under-16 social media ban and the EU’s Digital Services Act .
Critics on platforms like Reddit warn that such systems create data “honeypots,” with Techdirt arguing they undermine child safety by risking parental ID theft.
Discord’s prior security woes—ransomware in July and CDN malware in August—fuel calls for stricter third-party oversight.
Users are urged to act fast: Enable two-factor authentication via Discord’s User Settings , monitor accounts for suspicious activity, and check for leaks on Have I Been Pwned . U.S. users can freeze credit with TransUnion or Equifax to thwart fraud.
Phishing scams mimicking Discord’s alerts are rampant—verify emails against official domains listed on Discord’s support hub .
The breach lands as social platforms face pressure to tighten age gates, yet it exposes the fragility of outsourcing sensitive data. With X users raging over “another day, another breach”, Discord’s reputation as a gamer’s haven hangs in the balance.
Alternatives like Signal or Revolt beckon privacy-conscious users. As regulators circle, Discord must prove it can safeguard data—or risk losing its community to rivals.
