Discord Security Breach via Third-Party Support

Discord Security Breach via Third-Party Support

Redacto
6 min read

Categories: Cybersecurity, Data Breach, Data Privacy, Data Safety, Digital Footprint, Digital ID, Discord, Encryption, Privacy Guides, Social Media

Discord users have been impacted by a security breach, via the platforms third-party support provider Zendesk. Discord has published a press release, providing some information on the scope of the breach, which we’ll outline below.

In short, an unauthorized party accessed Discord’s third-party customer service platform, and extracted a significant volume of data from it. Reporting on the makeup of this data is currently evolving rapidly, with conflicting reports from various sources.

What did The 2025 Discord Data Breach Contain?

According to Discord’s incident notice, their ticket system (Zendesk) was accessed by a third party, who was able to steal a currently unclear volume of data – including age verification images and ID photos.

Discord has recently begun age & ID verification system rollouts (through another third party). However, some instances of automated verification have failed, at which point users are encouraged to undertake manual verification via Discord’s Trust and Safety team. Discord are currently reporting “approximately 70,000” users impacted through government ID leaks.

However, VX underground, a reputable source of breach details & scopes (HIBP founder Troy Hunt quote-tweeted them here) has shared conflicting details number age verification images up to ~2.1 million.

We’ve reached out to a contact at VX to see if there are more details, and will continue monitoring the story. Here’s what seems certain at this point:

  • Discord’s Zendesk instance was breached
  • A significant volume of customer support conversations and rich media was harvested
  • User IDs were leaked as part of the breach, though this may range anywhere from ~70,000 – 2,000,000+ based on the conflicting reports.
  • Additional information stolen includes Discord usernames, emails, user contact info, incomplete billing information (payment type, last 4 digits), IP addresses, and message exchanges with Discord’s trust & safety team.

Whether 70,000 IDs were stolen, or millions, the issue is not volume. It’s Discord’s decision to encourage failed ID checks to get routed through their third party support provider, who ‘manually’ checks the ID, and for some unknown reason, keeps a record of the ID & verification images provided. This is a disappointing, obvious failure that is directly attributable to Discord.

Their default automated ID check system, k-ID, which we covered in detail here purges ID and verification images after conducting a check locally (on-device). They handle it this way specifically to avoid leaking people’s IDs – which they have now done, because ID checks were being conducted through a ‘backup’ system that does not priority privacy and security in the same was as their ID check provider.

Discord should have never directed users to go through a ‘manual check’ process when k-ID fails. The blame rests squarely on this policy.

What is Discord doing about the breach?

You can read a full explanation of Discord’s follow-up actions and response here. But, in short they have (or are in the process of);

  • contacting affected parties
  • revoking Zendesk’s access to their ticketing system
  • working with law enforcement

At least 70,000 people’s government issued ID compromised. Mappable against their username and IP. On top of this, Discord have allowed billions of messages in public servers to be scraped in across two separate instances (April 2025, May 2025 & the earlier spy.pet bot).

Discord’s repetitious failure to secure their user’s data (with varying degrees of sensitivity) gives bad actors a detailed social graph, which can be used to carry out more sophisticated, targeted exploits – identity theft, financial crimes, & fraud.

How to know if I was impacted by the Discord Data Breach?

Discord says it is emailing impacted users from noreply@discord.com and will not call you about this incident.

The company recommends staying alert to suspicious messages and has reported the attack to data protection authorities. Law enforcement is involved and the stated motive included an extortion attempt.

If you haven’t been impacted, understand that Discord has a security incident every few months; you should take preventative measures to minimise the volume of data Discord holds about you.

What Does This Mean for ID & Age Verification on Discord?

With Discord rolling out ID checks, starting with UK users, more sensitive data can briefly pass through vendors that help verify identity or handle appeals. That makes the security of third-parties that they work with just as important as Discord’s own controls.

Discord’s third-party ID verification provider is not the same as Zendesk, and it appears to be a considerably more secure way to share sensitive documents. However, if a similar incident ever hits a third-party ID verification provider the fallout will be catastrophic. Imagine the Tea App breach earlier this year, but many orders of magnitude larger.

Platform-led ID verification is dangerous. Even with responsible third parties handling it, the more individual platforms you need to hand your documents over to, the greater the risk. It is only a matter of time before novel techniques are developed and deployed, to exploit ID verification providers.

Practical Steps to Minimize Data Breach Harms

  • Watch for phishing that references a past support ticket. Treat unexpected password reset prompts and payment requests with caution.
  • If you sent ID to appeal an age decision or due to a failed automatic check, monitor for misuse and consider placing a fraud alert with your local credit bureau.
  • Rotate any email addresses you used only for support if spam surges.
  • Review connected apps and active sessions inside Discord and sign out everywhere you do not recognize.
  • Keep two-factor authentication on with a TOTP app, avoid using SMS.
  • If you’re concerned about the Discord / Zendesk breach consider requesting a copy of your data from Discord; this will give you better visibility on how a breach could impact you, even if you dodged this one.

How Redact Can Help Protect You Against Data Breaches

Breaches around support systems often lead to phishing that cites your own words back to you. One way to limit copy-paste material is to reduce your overall footprint.

Redact lets you bulk delete messages on Discord, including your own posts in servers you can access and your DMs. You can filter by keywords or date range, preview before deleting, and schedule recurring cleanups so older conversations that no longer serve you are removed. A smaller footprint gives scammers less to weaponize if your details surface elsewhere.

Redact supports dozens of other major social and productivity platforms. You can try it free for deletions on Twitter, Facebook, and Reddit.

Tags:
customer support
Cybersecurity
data
data incident
Data Privacy
Delete Discord Messages
Digital Footprint
discord
government ID
law enforcement
Redact logo
Company
BlogContact UsMerch
Media
AffiliatesPress InquiriesPress Kit
Legal
Privacy PolicyTerms & Conditions
Socials
TwitterRedditDiscord

© 2025 Redact - All rights reserved