Just a heads up, if you buy something through our links, we may get a small share of the sale. It’s one of the ways we keep the lights on here. Click here for more.
Discord was under attack with a massive data breach.
The company said about 70,000 users may have had their government ID photos exposed after one of its third-party customer service vendors was compromised, not Discord’s own systems.
It all started when a hacker collective calling itself vx-underground claimed on X (Twitter) that it had 1.5 terabytes of age verification photos, around 2.1 million images, allegedly stolen from Discord’s support system, which runs on Zendesk.
Chat, we are cooked
Discord is being extorted by the people who compromised their Zendesk instance
They've got 1.5TB of age verification related photos. 2,185,151 photos
tl;dr 2.1m Discord users drivers license and/or passport might be leaked. Unknown number of e-mails
In other words: a whole lot of selfies with driver’s licenses.
Discord spokesperson Nu Wexler toldThe Verge that the hackers’ claims were “inaccurate” and part of an attempted extortion scheme to make Discord pay up.
“This was not a breach of Discord itself,” Wexler clarified, adding that the real number of affected users is a fraction of what’s being shared online.
The compromised data, Discord says, came from a vendor used to verify users’ ages, which explains why ID photos were involved in the first place.
So far, Discord has not paid the attackers, shut down operations with the affected vendor, and says it’s working with law enforcement and cybersecurity experts to clean up the mess.
The company has also contacted everyone affected by the breach, though if you recently uploaded your ID for age verification, maybe double-check your inbox (and your peace of mind).
Along with ID photos, Discord said that some personal data, like names, usernames, emails, IP addresses, and the last four digits of credit cards, might also have been caught up in the leak.
But now, there’s a twist: the vendor in question, 5CA, says it wasn’t hacked.
5CA says it’s conducting an ongoing forensic investigation with cybersecurity experts and “ethical hackers,” maintaining that “the incident occurred outside of our systems” and that there’s no evidence of any impact on other 5CA clients or data.
“We can confirm that none of 5CA’s systems were involved, and 5CA has not handled any government-issued IDs for this client. All our platforms and systems remain secure, and client data continues to be protected under strict data protection and security controls.”
“Our preliminary information suggests the incident may have resulted from human error, the extent of which is still under investigation. We remain in close contact with all relevant parties and will share verified findings once confirmed.”
So, while Discord insists the issue originated from a third-party breach, 5CA says it wasn’t hacked and didn’t even handle the government ID photos in question.
Both companies agree that the incident did not occur within Discord’s own systems, but where, exactly, it happened remains unclear.
Discord says it’s tightening things up, but for now, maybe think twice before sending your government ID to the internet.
Download Perplexity Comet
Invite a friend to Perplexity Comet. You get $15, they get Pro. Easy win.
Ronil is a Computer Engineer by education and a consumer technology writer by choice. Over the course of his professional career, his work has appeared in reputable publications like MakeUseOf, TechJunkie, GreenBot, and many more. When not working, you’ll find him at the gym breaking a new PR.
