This post is also available in:
עברית (Hebrew)
A recent cyberattack targeting Discord’s customer support system has exposed personal data from approximately 70,000 users, drawing renewed attention to the security risks of outsourcing age verification to third-party vendors. The breach, carried out by the cybercriminal group Scattered LAPSUS$ Hunters, was reportedly made possible through unauthorized access to Zendesk, a platform used by Discord’s global support partner, 5CA.
The attackers claim to have obtained access the system for over two days, during which they allegedly extracted 1.6 terabytes of data. This includes roughly 521,000 age verification tickets and 8.4 million support tickets overall. While Discord has confirmed the breach impacted users who had interacted with its Customer Support or Trust & Safety teams, the company maintains that only around 70,000 ID documents were likely compromised. These were submitted as part of age-related appeals under compliance with digital safety regulations.
According to Cyber News, the incident underscores how age verification—while increasingly mandated by legislation such as the UK’s Online Safety Act—can open new attack surfaces when handled by external providers. The stolen data includes not only government-issued ID photos but also usernames, emails, IP addresses, limited billing details, and chat logs with customer service. Partial payment information for over half a million users was also reportedly exposed.
Security experts warn that as governments expand digital verification requirements, reliance on third-party solutions introduces vulnerabilities. The ability to harvest sensitive personal information through a single point of access makes customer support platforms an appealing target for attackers. Researchers note that such vendors may operate across jurisdictions with varying levels of data protection oversight, further complicating risk management.
Discord stated it has revoked access for the affected vendor, notified law enforcement, and is continuing its investigation. It has begun contacting users whose data may have been compromised.
This breach raises broader concerns around data security in digital identity systems and highlights the need for tighter controls, improved monitoring, and greater accountability when handling sensitive user information—especially when third parties are involved.
Discord’s official press release can be found here.
