A "limited number of government-ID images" were exposed in a security breach involving Discord's customer service system

Discord's third-party customer service provider experienced a cybersecurity breach by an "unauthorized party," compromising data that included some government-issued identification cards.

On Friday, Discord informed users about the breach, mentioning that "information from a limited number of users" who had interacted with their Customer Support or Trust & Safety departments was accessed.

The incident involved ID verification for age determination, raising concerns about the security of using external services to meet UK Online Safety Act requirements.

The data that was accessed includes:

• Name, Discord username, email, and other contact information if shared with Discord support
• Type of payment, last four digits of credit cards, and purchase records tied to an account
• IP addresses
• Correspondences with customer support personnel
• Some corporate data (such as training materials and internal presentations)
• A limited number of government-issued IDs (like driver's licenses or passports) from users contesting age assessments

The breach did not affect passwords, authentication data, complete credit card details, CCV codes, or Discord activities "beyond exchanges with customer support."

The company stated, "Upon discovering the attack, we swiftly took action to resolve the issue and protect data."

Steps taken included removing the customer service provider’s system access, initiating an internal probe, collaborating with a prominent computer forensics company for assistance with investigation and corrective measures, and notifying law enforcement.

Users affected by the incident will receive notifications from noreply@discord.com. Discord will refrain from making phone calls to those impacted.

Users whose ID was specifically accessed will be informed via email.