Discord support breach may have exposed photo IDs for millions of users

Late last week, Discord reported on a breach that happened recently related to its third-party customer support partner, Zendesk. But new information indicates the stolen data could be worse than originally thought, including millions of government photo IDs.

Update 1: Zendesk sent the following statement: “Our investigation indicates this incident did not arise from a vulnerability within Zendesk’s platform. Zendesk’s own systems were not compromised.”

Photos of user government IDs were stolen from Discord’s support partner

When Discord first laid out the findings from the recent customer support breach impacting its users, the company mentioned certain types of data that had been stolen. It highlighted the following:

• Name, Discord username, email and other contact details if provided to Discord customer support
• Limited billing information such as payment type, the last four digits of your credit card, and purchase history if associated with your account
• IP addresses
• Messages with our customer service agents 
• Limited corporate data (training materials, internal presentations)

Finally, Discord also mentioned one last very important addition:

The unauthorized party also gained access to a small number of government‑ID images (e.g., driver’s license, passport) from users who had appealed an age determination.

If you’re unfamiliar with this age verification process, you can read more here.

Discord says it is in the process of emailing every user who may have been impacted. But the language of “small number” seemed to downplay that aspect of the breach.

Security researcher vx-underground, in a post on X, says things are worse than expected.

Discord has not confirmed these numbers, but if true, it would represent a much larger portion of breached sensitive data than was originally communicated.

Though most of the data types Discord mentioned as potentially breached weren’t especially sensitive, government IDs like drivers licenses and passports are clearly a more severe problem.

It’s unclear if Discord has finished sending all of its emails to impacted users yet, but the company says “If you were impacted, you will receive an email from noreply@discord.com.”

Update 2: In a statement to The Verge, Discord spokesperson Nu Wexler said that “the numbers being shared are incorrect. (…) Of the accounts impacted globally, we have identified approximately 70,000 users that may have had government-ID photos exposed (…).”

Have you received an email from Discord about the breach? Let us know in the comments.

Best iPhone accessories

• AirPods Pro 3
• AirTag 4-pack (now only $65, down from $99)
• MagSafe Car Mount for iPhone
• 10-year AirTag battery case 2-pack
• 100W USB-C fast charging power adapter

FTC: We use income earning auto affiliate links. More.