Last week, it was reported that a third-party platform which handles customer service data on behalf of Discord was hacked, resulting in government IDs with age verification photos being leaked for many users. The exact scale of this breach was unknown because impacted customers were privately informed about it by Discord, but there is lots of speculation online.
Popular X (formerly Twitter) account vx-underground posted recently that as many as 2.1 million users have had their data leaked through 1.5TB of photos of passports and other government-issued ID. Now, Discord spokesperson Nu Wexler has shot down these rumors, claiming that the scale of this attack has been greatly exaggerated, and that roughly 70,000 users are actually impacted.
In a statement to The Verge, Wexler said:
Following last week’s announcement about a security incident involving a third-party customer service provider, we want to address inaccurate claims by those responsible that are circulating online. First, as stated in our blog post, this was not a breach of Discord, but rather a third-party service we use to support our customer service efforts. Second, the numbers being shared are incorrect and part of an attempt to extort a payment from Discord. Of the accounts impacted globally, we have identified approximately 70,000 users that may have had government-ID photos exposed, which our vendor used to review age-related appeals. Third, we will not reward those responsible for their illegal actions.
Wexler further emphasized that affected users have already been informed and that the company is collaborating with law enforcement agencies. Discord has also ended its customer support contract with Zendesk, the third-party service that was hacked. It has secured the affected systems to prevent further exfiltration of data too. Regardless, the breach is pretty major since it involves email IDs, photos, the last four digits of credit cards, IP addresses, government-issued identification photos, and more.