Discord Breach Exposes User Data Through Support Partner

Discord has confirmed that one of its third-party customer support providers was hacked by an unauthorized party attempting to extort money from the company.

While the attackers didn’t gain access to Discord’s own systems, some user data shared with the Customer Support and Trust & Safety teams was affected — including government ID images submitted for age verification.

In an official statement, Discord said that any users impacted by the breach will be notified via email soon. The data potentially exposed includes names, Discord usernames, email addresses, contact details, payment methods, the last four digits of credit cards (but not full numbers or CVVs), purchase history, IP addresses, messages exchanged with support, and limited corporate data.

The most sensitive information in the breach involves government ID images, such as passports and driver’s licenses. Discord noted:

“If your ID may have been accessed, that will be specified in the email you receive.”

The company also clarified that no passwords, authentication data, or private messages were compromised — only those communications directly shared with customer support. Additionally, the affected support vendor’s system access has been revoked to prevent further issues.

For most users, the breach likely won’t have any impact, especially if they haven’t contacted Discord support recently. However, anyone concerned should watch for an official email from Discord and review identity theft and data breach guidance from organizations such as the IRS or UK’s National Cyber Security Centre (NCSC).

This incident comes six months after Discord introduced age verification in select regions, following regulations like the UK’s Online Safety Act, which made such verification mandatory. Some U.S. states have passed similar laws.

The breach underscores why many users remain uneasy about online ID verification policies — beyond privacy or censorship concerns, there’s a genuine risk in sharing sensitive personal documents with companies that may not have sufficient cybersecurity measures to protect them.