Discord has verified that 70,000 government identification documents came under attackers’ purview, along with age-verification selfies, after breaking into a third-party support vendor.
“Hackers are now sharing samples in messaging groups to scare the shaming sites,” Adrián Rodríguez, Ekans author, said in an interview. “It’s a well-known issue that resell cracktro tools.” The incident marks an unsettling escalation of a breach that highlights the risks of outsourcing sensitive identity checks and other far-reaching consequences with age-verification mandates.
What Discord Says Was Stolen in Vendor Breach
According to Discord, the incident impacted users who had sent IDs to appeal age-related unlocks. Exposed information includes images of ID documents and selfies taken to verify age, as well as details connected to customer support conversations. The company says that passwords, authentication data, and full payment card numbers were not accessed.
Discord reports that it is contacting affected users directly and has involved law enforcement. Messages are coming from the company’s confirmed email address, and recipients are reminded to be careful to avoid opportunistic phishing that can occur in the wake of major breaches.
How Attackers Got In Through A Support Contractor
The intrusion was the result of a hack at 5CA, a contractor that helps run customer support operations for Discord. The attackers are said to have accessed the records for around 58 hours via a hijacked support agent account, and later attempted to blackmail Discord. What we have here is another instance of failure in the chain of trust that has been a recurring theme in these recent incidents: The target’s perimeter may be steeled, but third parties can tend to make the weakest link.
Hackers Are Trading Selfies and Spreadsheets
404 Media journalists examined a Telegram channel where the attackers are spreading what they say are samples of what was stolen in the breach. The shared material includes selfies of users holding their IDs, as well as a spreadsheet that lists more than a thousand email addresses with location details, partial phone numbers, and security settings like whether multi-factor authentication is enabled. Previously, the group told BleepingComputer they had data on tens of millions of users, but according to Discord there are far fewer records with accompanying IDs, focused around the age-verification process.
Why Age Verification Data Raises the Stakes
Selfies with government IDs are some of the most sensitive data categories. They are employed for know-your-customer checks across banks, crypto exchanges, gig platforms, and gaming services. In the hands of a bad actor, this combination enables identity theft, synthetic identity fraud, and account takeover schemes that go much further than simply answering your basic security questions. It’s also an invitation to doxing and targeted harassment, because those images are quickly recognizable and frequently associated with specific location metadata or user handles.
Privacy advocates have long warned that centralized age-verification systems would establish lucrative honeypots. Groups such as the Electronic Frontier Foundation and digital rights activists warn that requiring platforms to collect IDs at scale inevitably results in bigger fallout from breaches, and discourages people from using legitimate services. Some adult sites have declined to use upload-based age checks in some areas, due to exactly this type of exposure.
What Users Impacted Should Do Right Now
- Beware of targeted phishing that mentions support tickets, ID uploads, or “account verification.”
- Treat unsolicited links and attachments as malicious, and confirm the message through proper channels.
- Remember that attackers often mix real breach data with social engineering when they phish for credentials.
- If you suspect misuse, put a fraud alert on your credit.
- Consider using a credit freeze with the major bureaus to block new credit line openings. Even if financial data wasn’t exposed, ID images and biographic details can be helpful in impersonation attempts across lenders and mobile carriers.
- If you sent a driver’s license or passport, refer to the guidance from your issuing authority on obtaining replacements and monitoring. Policies differ, but some regions allow reissue when an ID is compromised in a breach. Maintain documentation of the notification for any remediation further down the line.
- Check back for your data footprint with validation vendors. When applicable, make use of data subject access and deletion rights under privacy laws to limit how long ID images are kept. Where possible, only use platforms that rely on privacy-preserving age checks, such as on-device estimation or third-party token systems that do not store raw IDs.
- Turn on MFA for all accounts associated with the leaked email address, and rotate any passwords reused across services. While Discord indicates that passwords were not obtained, attackers could still use the breach to go after reused credentials on other services.
A Familiar Pattern With Third Party Risk
This incident is consistent with a larger trend of supply chain and vendor compromises contributing to downstream breaches. Security teams have a growing focus on vendor access controls, session monitoring, and data minimization specifically for high-risk processes such as ID verification. However, advice in standards such as those from NIST also suggest keeping sensitive data only for the required time limit and strictly partitioning the support tools and the actual user data.
For Discord and platforms like it, the lesson here is clear: The age-check workflow must be treated as critical infrastructure. For users, the lesson is every bit as stark—any time a service requests that you take a selfie with your ID, inquire how it is stored, for how long, and whether a contractor can see it. The answers help determine how much risk you’re left with when—not if—a vendor’s defenses break.
