70,000 More IDs Exposed in Discord Breach; Hackers Claim More

Discord announces a third-party customer support vendor was breached and 70,000 government IDs for age verification purposes were exposed, though the group of attackers is now bragging it got much more. The company denies that, saying the accusations are part of an extortion scheme, but it is another example of how support tools and outsourced providers have become a ripe target for big breaches.

The disclosure matters because those IDs — such as passports and driver’s licenses — contain relatively high-value personal data that can be recycled for years. Discord, whose approximate 200 million monthly active users are mainly gamers and their followers, said that its own systems had not been directly breached. Still, the theft of sensitive documents amid a vendor compromise illustrates how the weakest link in a support chain can give rise to outsized harm.

What Was Stolen and Why the Breach Matters Now

The leaked data set is not complete, but under the category of “government IDs,” which some users must provide in order to verify their age on Discord, user documents include those from government agencies in Kentucky, Virginia, and Michigan. In practice those images are often stamped with full names, addresses, dates of birth and I.D. numbers — enough to fuel account takeovers, synthetic identity creation or targeted phishing by fraudsters willing to exploit a crisis.

Earlier, Discord had warned that contact and billing information could be accessed through the hacked support environment as well, which includes names, email addresses, payment types, last four digits of credit card numbers and purchase history. Also, partial payment data may be less risky than full card numbers, it can still be stitched together with other information to convincingly impersonate a victim.

Discord and Hacker Claims Are at Odds Over Scale

The BleepingComputer attackers said they had potential access to over 521,000 age verification tickets, that represented around 1.5 terabytes of data. Discord flatly rejects those numbers. The figures are false and part of an extortion effort to pressure the company, a spokesperson told The Verge, adding that it would not negotiate with those behind the attack.

Discrepancies in the aftermath are widespread: Threat actors routinely exaggerate to apply pressure, while businesses may need time for logs to reconcile between various systems. Even so, Discord’s decision to number among 70,000 IDs appears to indicate the company has squared down on confirmed document exposure, even if it’s still considering broader data from support contacts accessed.

The Third-Party Weak Link in Discord’s Support Chain

Discord says the breach started at an external customer service provider. The attackers managed to get into accounts that were serving as a support agent, and from there ended up with access to an internal service application called Zenbar. BBC News reported that Zendesk said it was not part of the breach: a reminder of how vast support stacks can become difficult to untangle in public disclosure.

The operational fact that access reportedly lasted approximately 58 hours is significant. That’s enough room for lateral movement, bulky data pulls and log tampering. The trend echoes other support-driven attacks – the Okta and Twilio incidents, for example – in which help desk tools, ticket attachments and troubleshooting artifacts become attractive targets as they contain a wealth of identity and authentication information.

How Discord Is Responding to the Support Vendor Breach

Discord claims it has alerted all impacted users, locked down the compromised systems, and discontinued its operations with the vendor in question. The company says it is cooperating with law enforcement, data protection authorities and outside security specialists. From a security operations perspective, that might involve rotating credentials and tightening access to support systems, electing tighter uses of policies for handling attachments with sensitive and personally identifiable information.

The firm’s public stance against paying is in line with advice from many national cyber agencies, which caution that ransom or extortion payments do not guarantee data deletion and might fuel further attacks. But, at the same time, the liability around government ID spillover risks can be severe — particularly in regions such as the European Union where GDPR and other data privacy regimes require data minimization and provable vendor oversight.

What Affected Users Can Do Now to Protect Themselves

If you uploaded an ID to Discord, proceed under the assumption that it could be abused. Practical steps include:

• Freezing credit/credit reports and placing a fraud alert with the appropriate major bureau.
• Monitoring bank and card statements for unusual activity.
• Watching for targeted phishing that uses accurate personal information stolen in these hacks.
• If your driver’s license was compromised, consult a local guide about how to get a new number.
• If a passport image was involved, check with the issuing authority on steps you might be able to take.

For messages that actually refer to purchase history or partial card digits, you’ll need to be extra careful. Attackers frequently weaponize “just enough” correct information to overcome skepticism. The Federal Trade Commission logs more than a million reports of identity theft each year, and data from ID documents is still one of the prime sources for those schemes.

Age Verification and Smarter Data Minimization Practices

That breach illustrates a more general problem in the industry: age verification workflows that mandate saving government-issued ID images. Intended to protect younger users and remain compliant with regulations, these systems often still hold onto more data than required and pool it in the support tools stage, where monitoring is not as strict as in core production systems.

Security experts have long campaigned for alternatives, whether that’s zero-knowledge age checks, one-time verification tokens or so-called third-party attestations that affirm eligibility without holding a full ID image on file. For platforms of Discord’s scale, a move to verifications with reduced longevity for storage TTLs could greatly limit the blast radius from inevitable support-layer breaches.

For now, the picture remains split between a verified 70,000 exposed IDs and a much larger cache being claimed by attackers. No matter what the total, the lessons are plain: verify only as you must, keep only what you need, and harden your help desk like it’s production — because to attackers, it is.