In October 2025, the users of Discord opened their eyes to some shocking news – hackers had stolen their government-issued IDs, personal information and support messages. Discord has said about 70,000 users were affected, although cybersecurity researchers and the attackers themselves painted a much more alarming picture: as many as 2 million ID photos were compromised. That Discord hoist everyone’s been warning you about if you’ve ever contacted Discord support or verified your age on the platform, your information may very well be in the dark right this instant. Here’s what we know about this breach at a third-party vendor, and what you should do right away to keep yourself safe.
Discord Breach Quick Facts (At-a-Glance Summary)
| Breach Detail | Information |
|---|---|
| Date Discovered | September 20, 2025 |
| Public Disclosure | October 3, 2025 |
| Users Affected | 70,000 (Discord’s claim) to 2.1M+ (hackers’ claim) |
| Compromised Vendor | 5CA (third-party customer support provider) |
| Data Stolen | Government ID photos, names, emails, IP addresses, billing info |
| Hacker Group | Scattered Lapsus$ Hunters (SLH) |
| Ransom Demand | $5M (reduced to $3.5M) |
| Discord’s Response | Refused to pay; revoked vendor access |
What Actually Happened in the Discord Security Incident?
Here’s what makes this breach particularly dangerous: Discord itself wasn’t hacked. Instead, cybercriminals infiltrated 5CA, a Netherlands-based third-party customer service provider that Discord relied on to process support tickets and age verification appeals.
The attack began on September 20, 2025, when hackers—identifying themselves as Scattered Lapsus$ Hunters—used social engineering tactics to compromise a support agent’s account. For approximately 58 hours, they had unrestricted access to Discord’s Zendesk ticketing system, siphoning off a massive 1.6 terabytes of sensitive user data.
Based on my research into similar third-party breaches, this attack pattern is becoming alarmingly common. In our testing of various platforms, we’ve found that outsourced customer support systems are consistently the weakest link in the security chain.
The Numbers Don’t Add Up: 70K or 2 Million IDs?
Here’s where things get murky. Discord officially states that approximately 70,000 users had their government ID photos exposed. However, Scattered Lapsus$ Hunters claims they stole over 2.1 million government-issued ID photos from 5.5 million unique users across 8.4 million support tickets.
Security researchers, including reputable sources like vx-underground (cited by Have I Been Pwned founder Troy Hunt), support the hackers’ higher numbers. This massive discrepancy raises serious questions about Discord’s transparency regarding the breach’s true scope.
What Personal Information Was Compromised?
If you contacted Discord’s Customer Support or Trust & Safety teams, here’s what the attackers potentially accessed:
| Data Category | Specific Information Exposed |
|---|---|
| Identity Documents | Passport photos, driver’s license images, government-issued ID selfies (age verification appeals) |
| Personal Details | Full legal names, Discord usernames, email addresses, IP addresses, physical addresses (from IDs) |
| Financial Information | Payment method types, last 4 digits of credit card numbers, purchase history, and transaction records |
| Communication Records | Complete transcripts of support ticket conversations, messages to Trust & Safety teams, and appeal submissions |
| What Wasn’t Compromised | Full credit card numbers, CVV codes, passwords, authentication tokens, and regular private messages |
Who Is Behind the Discord Hack?
Scattered Lapsus$ Hunters (SLH) represents a terrifying evolution in cybercrime. This coalition combines the most dangerous tactics from three notorious hacking groups:
- Scattered Spider – Experts in social engineering and IT helpdesk manipulation
- LAPSUS$ – Known for public extortion and data leak campaigns
- ShinyHunters – Specialists in bulk data theft and dark web monetization
In our experience tracking cybersecurity threats, SLH operates a sophisticated “Data Leak Site” (DLS) on the dark web where they auction stolen information, pressure victims publicly, and coordinate ransom demands.
Previous SLH Attacks
| Target | Impact |
|---|---|
| Salesforce | 91 major organizations affected |
| Data Theft Claims | 1.5 billion Salesforce records stolen |
| Major Brands | Louis Vuitton, Qantas, Air France-KLM, Cisco |
The group initially demanded $5 million from Discord, later reducing it to $3.5 million. Discord flatly refused, stating: “We will not reward those responsible for their illegal actions.”
The 5CA Controversy: Who’s Really to Blame?
Discord named 5CA, a Netherlands-based customer experience firm, as the compromised vendor on October 9, 2025. However, 5CA publicly denied responsibility, claiming:
“We can confirm that none of 5CA’s systems were involved, and 5CA has not handled any government-issued IDs for this client.”
This blame game raises critical questions:
- If not 5CA’s systems, then whose?
- Why did Discord route failed ID checks through a “manual verification” process?
- Were ID photos being stored when they should have been purged?
Discord’s primary age verification system, k-ID, automatically deletes ID images after conducting on-device checks specifically to prevent leaks like this. The breach occurred because users with failed automated checks were redirected through a backup manual verification system that kept permanent records—a decision that directly contradicts privacy-first security principles.
How the UK’s Online Safety Act Made This Breach Inevitable
Privacy advocates warned this would happen. The UK’s Online Safety Act, passed in July 2025, forced platforms like Discord to implement mandatory age verification using government IDs. This created exactly what hackers dream of: centralized databases containing millions of identity documents.
Electronic Frontier Foundation’s Maddie Daly stated: “Age verification systems are surveillance systems. A person who submits identifying information online can never be sure if websites will keep that information or how that information might be used or disclosed.”
This Discord breach validates every concern privacy experts raised about government-mandated ID collection. When platforms are legally required to verify ages with sensitive documents, they inevitably create high-value targets for cybercriminals—similar to how platforms like Instagram track and store your viewing history without users fully understanding the data collection scope.
Immediate Actions You Must Take If You’re Affected
Discord is emailing impacted users from noreply@discord.com. If you received a notification (or even if you haven’t but contacted support recently), here’s your step-by-step protection plan:
Critical Steps (Do These Today)
| Action | What to Do | Why It Matters |
|---|---|---|
| Verify Notification | Official emails ONLY from noreply@discord.com; Discord NEVER calls about security | Prevents falling for phishing scams |
| Enable MFA | Use an authenticator app (Google Authenticator, Authy) | Prevents account takeover even with compromised email |
| Credit Freeze | Contact Experian, Equifax, TransUnion | Blocks new credit accounts in your name |
| Monitor Finances | Check bank statements daily; set real-time alerts | Catches unauthorized transactions immediately |
| ID Replacement | Contact the government ID authority; request invalidation | Prevents criminals from using your stolen documents |
Long-Term Protection Strategies
Watch for Targeted Phishing: Criminals will use your stolen support ticket history to craft hyper-realistic scam emails. They might reference specific issues you discussed with Discord support. I’ve seen this tactic successfully fool even tech-savvy users.
Identity Theft Monitoring: Consider services like Have I Been Pwned, Bitdefender Digital Identity Protection, or similar tools that scan the dark web for your stolen data.
Report to Authorities:
- File reports with Action Fraud (UK users)
- Contact local cybercrime reporting centers
- Create an official paper trail for disputing future fraud
Why Stolen Government IDs Are Worse Than Password Breaches
In our testing of dark web marketplaces, government IDs command premium prices because they enable “forever fraud.” Here’s why this breach is particularly devastating:
The Immutable Data Problem
| Changeable Data | Unchangeable Data (Stolen in Breach) |
|---|---|
| Passwords (can reset) | Legal name |
| Credit card numbers (can be replaced) | Date of birth |
| Email addresses (can change) | ID number |
| Phone numbers (can switch) | Facial biometrics |
| – | Physical appearance from the ID photo |
Perfect Storm for Synthetic Identity Fraud: Criminals combine your real ID with fabricated information to create “synthetic identities” for opening bank accounts, applying for loans, or committing financial crimes in your name.
Cryptocurrency Community at Extreme Risk: Discord serves as the primary communication hub for crypto projects, NFT communities, and blockchain networks. Hudson Rock’s CTO Alon Gal explained: “This database is going to be huge for solving crypto-related hacks and scams because scammers don’t often remember using a burner email and VPN, and almost all of them are on Discord.”
Stolen data linking your Discord username to your real identity puts cryptocurrency holders, traders, and developers at heightened risk for targeted phishing attacks, wallet-draining schemes, and extortion.
Could This Have Been Prevented?
Absolutely. Zero-knowledge proof technology offers a privacy-preserving alternative to collecting and storing millions of ID photos. This cryptographic method mathematically verifies someone’s age without revealing their full identity or requiring document storage.
Companies Using Privacy-First Age Verification
| Company | Technology | Launch Date |
|---|---|---|
| Concordium | Blockchain-based age verification app | August 2025 |
| Google Wallet | Zero-knowledge proofs integration | April 2025 |
The technology exists. The question is whether platforms prioritize user privacy over convenience and whether lawmakers understand the inherent risks of mandating ID collection.
Discord’s Response and What Happens Next
Discord acted swiftly once the breach was discovered:
Immediate Actions Taken
- Revoked 5CA’s access to all ticketing systems
- Engaged a leading computer forensics firm
- Notified law enforcement and data protection authorities
- Began contacting affected users via email
Ongoing Investigation
Discord is cooperating with law enforcement to track down the perpetrators. The company has also committed to auditing all third-party vendor access and implementing enhanced security controls.
Class Action Lawsuits
Multiple law firms are investigating potential class action litigation against Discord.
Final Thoughts: Lessons From the Discord ID Leak
This breach teaches us three critical lessons:
For one, age verification laws that mandate ID storage are creating honeypots for hackers.
Second, the weakest security link in your platform is often the third-party vendors you use. Companies need to adopt a zero-trust model and continuously monitor every single external partner.
Third, users deserve transparency. There’s a credibility gulf between Discord’s 70,000 figure and evidence of more than 2 million compromised IDs that in this case, honesty would be the best policy.
If you were hit by this breach, act now. If your ID has been leaked by the government, you might be at risk of identity theft for life, and that should be protected against right now.
Stay healthy, turn on MFA wherever it is available, and demand that any site asking for your government-issued ID has proof in hand that they are using privacy-first verification methods before you fork over irreplaceable identity documents.
