Thieves steal IDs and payment info after data leaks from Discord support vendor

Discord has confirmed customers' data was stolen – but says the culprit wasn't its own servers, just a compromised support vendor.

The chat platform revealed late last week that an unnamed customer service vendor had been compromised, exposing support tickets and personal details submitted by users who had contacted Discord's help or Trust & Safety teams.

The company stressed that its own systems were not directly accessed. However, stolen data may include names, email addresses, billing information such as payment type and the last four digits of credit cards, and – in some cases – images of government IDs provided for age verification purposes.

Discord stated that attackers could access IP addresses, messages, and attachments sent to customer service agents.

"An unauthorized party targeted our third-party customer support services to access user data, with a view to extort a financial ransom from Discord," the company said.

Discord said it cut off the vendor's access as soon as the intrusion was detected, launched an internal investigation, and notified law enforcement. The company is now emailing affected users, warning them to stay alert for scams or attempts to exploit the stolen information.

• Red Hat fesses up to GitLab breach after attackers brag of data theft
• Oracle tells Clop-targeted EBS users to apply July patch, problem solved
• Criminals take Renault UK customer data for a joyride
• Clop-linked crims shake down Oracle execs with data theft claims

Some reports have named a customer support vendor, but the company has not confirmed that detail, nor has it named the contractor responsible for handling support tickets.

The number of people affected remains unanswered. Discord describes the number as "limited," but with more than 200 million active users each month, even a sliver of its support interactions could amount to a sizable haul of personal data.

Discord has yet to respond to The Register's questions about which vendor was compromised or how many users were caught in the breach. The company now faces the unenviable task of reassuring users that their personal data is secure – even when it wasn't its own systems that sprang the leak. ®