Discord Confirms: Hackers Stole Identity Documents of 70,000 Users
Discord has confirmed that it will not pay a ransom to the attackers who claim to have stolen the data of 5.5 million users. The stolen information reportedly includes copies of identity documents and partial payment details. However, the company insists that the actual number of affected users is around 70,000.
The incident, which occurred on September 20, 2025, was caused by the compromise of a third-party vendor providing customer support services to Discord. The company says it immediately isolated the affected vendor from its ticketing system and launched an internal investigation.
At the time, Discord stated that the breach impacted a “limited number of users” who had interacted with Support or Trust and Safety specialists.
Compromised Information
According to the company, the stolen data may include:
- Users’ real names and Discord nicknames
- Email addresses and other contact information provided to support
- IP addresses, messages, and attachments sent to the help desk
- Partial payment information (payment method, last four digits of the card, and purchase history)
Worse, the attackers also obtained photographs of identity documents—such as driver’s licenses, passports, and student IDs—submitted by users for age verification.
Initially, Discord declined to specify how many users were affected or which vendor had been breached. However, BleepingComputer later reported that the hackers compromised Zendesk, the company’s customer service platform. A threat group calling itself “Scattered Lapsus$ Hunters”—allegedly made up of members of Scattered Spider, LAPSUS$, and ShinyHunters—claimed responsibility.
The group asserted that they had exfiltrated data belonging to 5.5 million users, including 2.1 million identity documents and payment information.
Discord Responds
In a new statement, Discord refuted those claims, emphasizing that the attackers’ figures were “inaccurate and part of an extortion attempt.”
“First, as already stated in our blog, this was not a breach of Discord itself but of a third-party service we use for customer support,” the company said. “Second, the numbers being circulated are incorrect. Based on our investigation, approximately 70,000 users globally may have had identity document photos compromised. Our contractor used these images solely to verify users’ age. Third, we do not intend to reward the perpetrators for their illegal actions.”
Attackers’ Claims
The hackers told BleepingComputer that Discord was “downplaying the scale” of the breach. They claimed to have stolen 1.6 TB of data from the company’s Zendesk instance and maintained access for 58 hours, beginning September 20.
According to the attackers, the breach was not caused by a vulnerability in Zendesk itself but by the compromise of a customer support employee’s account hired through a business process outsourcing (BPO) contractor.
They also claim that Discord’s Zendesk setup included an internal support tool called Zenbar, which allowed them to perform actions such as disabling multi-factor authentication (MFA) and viewing users’ phone numbers and email addresses.
Using this access, they allegedly stole 8.4 million support tickets linked to 5.5 million unique users, including about 580,000 tickets containing payment-related information.
The attackers admitted they did not know the exact number of stolen identity documents but estimated the number exceeds 70,000, citing 521,000 age verification tickets.
One hacker told BleepingComputer that the group initially demanded a $5 million ransom, later lowering it to $3.5 million, and claimed to have negotiated with Discord from September 25 to October 2, 2025.
After Discord ended talks and released its public statement, the group said they were “extremely irritated” and threatened to release the stolen data if their demands were not met.
BleepingComputer stressed that it could not independently verify the attackers’ claims or the authenticity of the data samples provided.
