“Small number of government-ID images” compromised in Discord customer service breach

A third-party customer service provider used by Discord was hacked by an “unauthorised party” resulting in a data breach including “a small number of government-IDs.”

Last Friday, Discord notified users that “information from a limited number of users” who had contacted its Customer Support or Trust & Safety teams were obtained.

This included IDs from those who appealed age determination, highlighting the potential security implications of using third-party companies to comply with the Online Safety Act.

Discord listed the data that was breached, which included:

• Name, Discord username, email and other contact details if provided to Discord customer support
• Payment type, last four digits of credit cards, and purchase history if associated with an account
• IP addresses
• Messages with customer service agents
• Limited corporate data (training materials, internal presentations)
• A small number of government‑ID images (e.g., driver’s license, passport) from users who had appealed an age determination

The data breach did not include passwords or authentication data, full credit card numbers or CCV code, or messages and activity on Discord “beyond discussions with customer support.”

“As soon as we became aware of this attack, we took immediate steps to address the situation,” the company said.

“This included revoking the customer support provider’s access to our ticketing system, launching an internal investigation, engaging a leading computer forensics firm to support our investigation and remediation efforts, and engaging law enforcement.”

Users impacted by the data breach will receive an email from noreply@discord.com. Discord will not contact affected users by phone.

Those whose ID was accessed will be specifically notified in the email.