Discord discovered that threat actors had gained unauthorized access to the customer service environment of Zendesk, the outsourced support provider that handles Discord’s Trust & Safety and customer support tickets.
Attackers compromised a support agent’s account and maintained access for 58 hours, during which they exfiltrated a reported 1.5 terabytes of sensitive user data.
The group claiming responsibility, Scattered Lapsus$ Hunters (SLH), publicly taunted Discord and demanded a ransom, asserting they held 2,185,151 government-issued identification photos submitted by users for age verification.
Discord’s subsequent internal investigation refutes those figures, stating that approximately 70,000 users had their ID images exposed rather than the millions claimed.
The incident did not breach Discord’s core infrastructure or customer databases but exploited vulnerabilities in the vendor’s ticketing system, underscoring the risks of supply chain attacks on less secure third-party operations.
Scope of Exposed Information and Company Response
The stolen dataset includes user names, Discord usernames, email addresses, customer support message transcripts, IP addresses, and limited billing information such as payment methods and the last four digits of credit card numbers.
Crucially, the exposed government identification images consist of driver’s licenses, passports, and other ID proofs submitted by users appealing age restrictions.
Upon learning of the breach, Discord immediately revoked all vendor access to its ticketing systems and terminated the partnership with the compromised Zendesk environment.
The company engaged a leading computer forensics firm and notified law enforcement and data protection authorities.
Discord stressed that full credit card numbers, passwords, and private message contents outside customer support interactions were not affected.
Affected users will receive direct email notifications detailing the breach of their ID images and guidance on protective measures.
Implications for Supply Chain Security
This incident spotlights the growing threat of cybercriminals targeting third-party service providers to circumvent stronger security controls at larger organizations.
Supply chain attacks, such as this breach of outsourced customer support, can expose vast troves of sensitive verification documents and personal data.
Organizations must enforce stringent security standards, continuous monitoring, and access controls for all partners handling critical user information.
The full impact of this breach remains uncertain. Discord has refused to pay the ransom demanded by SLH and is closely monitoring the threat actors’ movements to determine if the stolen data will be publicly released.
As investigations continue, companies across the technology sector are urged to reassess their vendor risk management strategies to prevent similar compromises.
CVE Table
| CVE ID | Affected Component | Description | Exploit Prerequisite | CVSS 3.1 Score |
|---|---|---|---|---|
| None assigned | Zendesk customer support portal | Unauthorized access via compromised agent credentials | Valid support agent login credentials | N/A |
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1600,900&ssl=1&description=Attackers compromised a support agent’s account and maintained access for 58 hours, during which they exfiltrated a reported 1.5 terabytes of sensitive user data.){kind=link}