Hackers claim 5.5M Discord users’ data was stolen via a Zendesk support breach, including ID photos and billing info.
Discord recently made headlines when security researchers reported that hackers had accessed data from its customer support platform. According to BleepingComputer, attackers claim to have breached Discord’s Zendesk support system and stolen roughly 1.6 TB of data covering about 5.5 million unique users. The stolen material allegedly includes support tickets and attachments, containing personal information such as email addresses, phone numbers, and partial payment details. Perhaps most alarming, the attackers say they grabbed users’ submitted government ID images (driver’s licenses, passports) used for age verification. In response, Discord insists this was a third-party support breach and disputes the scale, urging users not to panic.
Alleged Zendesk Support Breach
The attackers say they broke into Discord’s Zendesk instance on September 20, 2025, maintaining access for about 58 hours. They claim the breach stemmed not from a Zendesk vulnerability but from a compromised support agent account at an outsourced vendor (a common “BPO” support firm). Once inside, the cybercriminals reportedly used an internal tool (“Zenbar”) to perform tasks like disabling multi-factor authentication on user accounts and querying user contact information. In total, they allege about 8.4 million support tickets were exfiltrated from approximately 5.5 million users. The extortion group even boasted that roughly 580,000 tickets contained some form of payment info.
- Data Stolen: The purported haul includes a wide range of user data. Reporters on Malwarebytes and BleepingComputer detail that exposed fields could include usernames, email addresses, and Discord IDs; phone numbers and contact info; partial billing details (payment types and last 4 digits of cards); support chat logs and IP addresses; and government-issued ID scans submitted for age checks.
- Extent of IDs: Hackers claim they obtained roughly 2.1 million ID images from age-verification requests. Discord refutes that number: the company says only about 70,000 users’ ID photos may have been exposed, and it plans to notify those individuals by email. No complete credit card numbers or user passwords were taken, according to Discord’s advisory.
Discord’s Official Response
Discord has confirmed a security incident but stresses it was limited to a “third-party service” – not a breach of Discord’s own servers. In a statement to BleepingComputer, Discord said the hackers’ numbers “are incorrect” and part of an extortion attempt, reiterating that “we will not reward those responsible for their illegal actions”. The company insists only ~70,000 ID images were involved, not the millions claimed , and that all affected users are being notified. According to The Verge, Discord has revoked the support vendor’s access to its ticketing system, engaged a forensics team, and alerted law enforcement and data protection authorities. Discord also warned users that any official breach notification will come only via email from noreply@discord.com.
Risks and Takeaways
This incident highlights how sensitive user data can be exposed when attackers target third-party support tools. Security experts note that supply-chain and third-party attacks have surged in 2025. In practice, a breach like this could enable identity theft (from leaked IDs) or financial fraud (from partial billing info). For users, the key is vigilance: check for official Discord communications (as promised, impacted users will get a clear email) and consider changing linked payment details if concerned. For companies, the lesson is to rigorously vet and monitor vendors, enforce strict access controls, and prepare for extortion attempts. As CybersecurityNews observes, “this incident highlights the growing threat of supply chain attacks, where attackers target less secure third-party partners”.
In summary, while the full scope of the breach remains unverified, the claims serve as a stark reminder of modern cyber risks. Whether all the hackers’ allegations prove true or not, Discord is treating it as serious and has promised a full investigation. Users should stay informed through official channels and tighten their own security (e.g. strong MFA, scam awareness) to mitigate any fallout from this incident.
