70,000+ Government IDs Leaked in Discord x Zendesk Breach

Discord has said their third-party support provider (using Zendesk) was compromised – leading to the theft over ~71,000 government IDs used in manual age verification. Discord has published a press release, providing some information on the scope of the breach, which we’ll outline below.

VX Underground, a reputable source of breach alerts & reporting, and malware information has revealed more information about the breach (beyond what’s contained in Discord’s press release). Recently, VX have reported the extortion claim and numbers being circulated which mostly corroborate Discord’s press release.

In short, an unauthorized party accessed Discord’s third-party customer service platform, and extracted a significant volume of data from it. Reporting on the makeup of this data is currently evolving rapidly, with conflicting reports from various sources.

TL;DR – Discord x Zendesk Breach

This story has evolved rapidly, however recent reporting from VX Underground has corroborated Discord’s original press release.

• Discord’s Zendesk instance was breached. VX Underground have reported the threat actor claims to have successfully bribed an offshore team member using Zendesk, responsible for Discord’s Support Channel that handled manual ID verification.
• A significant volume of customer support conversations and rich media may have been harvested (IPs, usernames, support messages, incomplete payment information)
• ~71,000 government-issued IDs were leaked as part of the breach.
• Additional information stolen includes Discord usernames, emails, user contact info, incomplete billing information (payment type, last 4 digits), IP addresses, and message exchanges with Discord’s trust & safety team.

How Did the Discord x Zendesk Breach Happen?

According to Discord’s incident notice, their ticket system (Zendesk) was accessed by a third party, who was able to steal a large volume of sensitive data – including ~71,000 age verification images and ID photos.

Since the initial press release, VX underground have received a stream of information from the threat actor responsible for the breach. Originally, the threat actor claimed to have over 2.1M (1.5TB) age verification photos from the breach, as reported by VX. Keep in mind, threat actors may lie about breach details to obfuscate their attack path or protect themselves from repercussions.

Since VX’s initial report, the threat actor retracted this statement and affirmed that they have ~71,000 ID photos – corroborating Discord’s press release. All reporting has consistently pointed towards Discord’s Zendesk instance as the source, accessed via an outsourced team member, contracted by Discord through a third party Zendesk Partner called “5CA”.

VX have since shared more details from the threat actor about this; who claims that a BPO (Business Process Outsourced) employee in a South-East Asian country accepted a bribe, in exchange for granting access to the support system, allowing the threat actor to extract the ID images & other data.

While it is reassuring that Discord’s communications have been verified by the threat actor, one glaring problem remains. Discord allowed a third-party, offshore team to conduct manual age verification checks, and store the ID photos used in the checks. Allowing manual age-appeal ID images to be retained created an avoidable risk & highlights a clear data retention problem.

Discord recently began automated age & ID verification system roll-outs (through another third party called k-ID). Facial age-estimation is processed on-device and ID images are deleted after verification. This is a critical distinction – the automated system was not breached, and if it was, it is unlikely to have been as fruitful for the attacker.

The manual ID verification process (occurring within Zendesk) however, did not have the same privacy & security features.

What is Discord doing about the breach?

You can read a full explanation of Discord’s follow-up actions and response here. But, in short they have (or are in the process of);

• contacting affected parties
• revoking Zendesk’s access to their ticketing system
• working with law enforcement

In general, we’re pleased that Discord have been transparent about the impact and details of the breach. However, the seriousness of this should not be minimized.

In many cases, the stolen government-issued IDs may be mappable against usernames and IP addresses. On top of this, billions of Discord messages in public servers to be scraped in across two separate, recent instances (April 2025, May 2025 & the earlier spy.pet bot). Together, this may enable threat actors to build detailed social graphs of Discord users, which can be used to carry out more sophisticated, targeted exploits like identity theft, financial crimes, & fraud.

How to know if I was impacted by the Discord Data Breach?

Discord says it is emailing impacted users from noreply@discord.com and will not call you about this incident.

The company recommends staying alert to suspicious messages and has reported the attack to data protection authorities. Law enforcement is involved and the stated motive included an extortion attempt.

Even if you haven’t been impacted; you should take preventative measures to minimize the volume of data Discord holds about you.

What Does This Mean for ID & Age Verification on Discord?

With Discord rolling out ID checks, starting with UK users, more sensitive data will pass through vendors that help verify identities/user age, and handle age-verification appeals. That makes the security of third-parties that they work with just as important as Discord’s own controls.

Discord’s third-party ID verification provider is not the same as Zendesk, and it appears to be a considerably more secure way to share sensitive documents. However, if a similar incident ever hits a third-party ID verification provider the fallout will be catastrophic. Imagine the Tea App breach earlier this year, but many orders of magnitude larger.

Platform-led ID verification is dangerous. Even with responsible third parties handling it, the more individual platforms you need to hand your documents over to, the greater the risk. It is only a matter of time before novel techniques are developed and deployed, to exploit ID verification providers.

Practical Steps to Minimize Data Breach Harms

Here are some immediate steps you can take to avoid negative outcomes from this breach, or future security incidents that may target Discord or their vendors:

• If you’re concerned about the Discord / Zendesk breach consider requesting a copy of your data from Discord; this will give you better visibility on how a breach could impact you, even if you dodged this one.
• Watch for phishing that references a past support ticket. Treat unexpected password reset prompts and payment requests with caution.
• If you sent ID to appeal an age decision or due to a failed automatic check, monitor for misuse and consider placing a fraud alert with your local credit bureau.
• Rotate any email addresses you used only for support if spam surges.
• Review connected apps and active sessions inside Discord and sign out everywhere you do not recognize.
• Keep two-factor authentication on with a TOTP app, avoid using SMS.

How Redact Can Help Protect You Against Data Breaches

Support system breaches often lead to phishing that uses your own words or references past support conversations. One way to limit copy-paste material is to reduce your overall footprint.

Redact lets you bulk delete messages on Discord, including your own posts in servers you can access and your DMs. You can filter by keywords or date range, preview before deleting, and schedule recurring cleanups so older conversations that no longer serve you are removed. A smaller footprint gives scammers less to weaponize if your details surface elsewhere.

Redact supports dozens of other major social and productivity platforms. You can try it free for deletions on Twitter, Facebook, and Reddit.