Discord Breach Sparks Age Verification & Third-Party Privacy Concerns

Discord, the popular messaging platform with over 200 million monthly active users, has confirmed a data breach that exposed sensitive user information, including government-issued identification documents. The incident stemmed from an attack on one of Discord’s third-party customer service providers. It is affecting a limited number of users who had submitted IDs for manual age verification.

This breach occurred as Discord ramped up compliance with age verification laws in countries such as Australia and the UK.

Although Discord stated that no passwords, full credit card numbers, or in-app activity were compromised beyond support communications, the breach still involved highly sensitive personal information.

The cybercriminal group “Scattered Lapsus$ Hunters,” which includes members from notorious groups ShinyHunters and Scattered Spider, has claimed responsibility. It has posted alleged internal Discord screenshots and threatened to leak data.

The company has launched an internal investigation and notified affected users directly.

Why It Matters: Growing regulations surrounding age verification systems as a form of security and third-party data handling practices are under scrutiny following the attack, especially as governments push for tighter online age restrictions. This raises alarms about the risks of storing and transmitting sensitive identity documents on large platforms.

• The Breach Originated from a Compromised Third-Party Provider: Discord clarified that its internal systems were not directly breached. Instead, the incident was traced to an external customer service vendor who had access to Discord’s support and trust teams. This vendor was responsible for handling user inquiries that included age verification appeals, giving attackers a pathway to sensitive data. The company responded by revoking the vendor’s access and notifying law enforcement, initiating a broader internal investigation to assess the breach’s scope.

• Government IDs and Personal Information Were Among Exposed Data: The data accessed in the breach included usernames, email addresses, billing info, IP addresses, and communications with customer support. More critically, the attacker accessed a small number of government-issued IDs submitted by users during age appeal processes. These users were notified individually. While Discord says ID images are deleted after use, this exposure highlights the risks of storing and transmitting them through support channels.

• Scattered Lapsus$ Hunters Claim Responsibility: A group of cybercriminals identifying as “Scattered Lapsus$ Hunters” took credit for the breach. They allegedly gained access to internal Discord tools and posted screenshots via Telegram as proof. The group’s predecessors have a known history of targeting major corporations, such as Jaguar Land Rover and Marks & Spencer, and in this case, threatened to leak user data and ridiculed Discord’s support infrastructure. While the group’s claims haven’t been independently verified, experts have noted their past credibility.

• Core Discord Features and Passwords Were Not Affected: Discord emphasized that critical user data such as passwords, full credit card numbers, CVV codes, and any private in-app communications outside of customer support were not compromised. However, even partial exposure of payment methods and identification info could pose risks of malicious activity. Users were advised to monitor for suspicious activity and remain cautious of potential scams or impersonation attempts in the wake of the breach.

• The Breach Comes Amid Regulatory Changes Around Age Verification: The timing of the breach is notable as Discord recently expanded its facial age assurance systems in countries like Australia and the UK to comply with new child safety laws. Australia’s forthcoming December ban on social media access for users under 16 requires platforms to offer robust and flexible age verification methods. Including, but not limited to, government ID submission. The breach raises pressing concerns about the security of these mechanisms and the responsibility platforms have in safeguarding sensitive user information.

Go Deeper -> Proof-of-age ID leaked in Discord data breach – The Guardian

Your Government ID May Have Been Accessed in Discord’s Data Breach – PCMag