Discord says they won’t be paying menace actors who declare to have stolen the info of 5.5 million distinctive customers from the corporate’s Zendesk help system occasion, together with authorities IDs and partial cost info for some individuals.
The corporate can be pushing again on claims that 2.1 million images of presidency IDs had been disclosed within the breach, stating that roughly 70,000 customers had their authorities ID images uncovered.
Whereas the attackers declare the breach occurred via Discord’s Zendesk help occasion, the corporate has not confirmed this and solely described it as involving a third-party service used for buyer help.
“First, as acknowledged in our weblog publish, this was not a breach of Discord, however somewhat a third-party service we use to help our customer support efforts,” Discord instructed BleepingComputer in a press release.
“Second, the numbers being shared are incorrect and a part of an try and extort a cost from Discord. Of the accounts impacted globally, we now have recognized roughly 70,000 customers that will have had government-ID images uncovered, which our vendor used to evaluate age-related appeals.”
“Third, we won’t reward these answerable for their unlawful actions.”
In a dialog with the hackers, BleepingComputer was instructed that Discord shouldn’t be being clear in regards to the severity of the breach, stating that they stole 1.6 TB of knowledge from the corporate’s Zendesk occasion.
In response to the menace actor, they gained entry to Discord’s Zendesk occasion for 58 hours starting on September 20, 2025. Nevertheless, the attackers say the breach didn’t stem from a vulnerability or breach of Zendesk however somewhat from a compromised account belonging to a help agent employed via an outsourced enterprise course of outsourcing (BPO) supplier utilized by Discord.
As many firms have outsourced their help and IT assist desks to BPOs, they’ve turn out to be a well-liked goal for attackers to realize entry to downstream buyer environments.
The hackers allege that Discord’s inside Zendesk occasion gave them entry to a help utility, often known as Zenbar, that allowed them to carry out numerous support-related duties, akin to disabling multi-factor authentication and searching up customers’ telephone numbers and e-mail addresses.
Utilizing entry to Discord’s help platform, the attackers claimed to have stolen 1.6 terabytes of knowledge, together with round 1.5 TB of ticket attachments and over 100 GB of ticket transcripts.
The hackers say this consisted of roughly 8.4 million tickets affecting 5.5 million distinctive customers, and that about 580,000 customers contained some kind of cost info.
The menace actors themselves acknowledged to BleepingComputer that they’re not sure what number of authorities IDs had been stolen, however they consider it’s greater than 70,000, as they are saying there had been roughly 521,000 age-verification tickets.
The menace actors additionally shared a pattern of the stolen consumer knowledge, which may embrace all kinds of data, together with e-mail addresses, Discord usernames and IDs, telephone numbers, partial cost info, date of beginning, multi-factor authentication associated info, suspicious exercise ranges, and different inside info.
The cost info for some customers was allegedly retrievable via Zendesk integrations with Discord’s inside programs. These integrations reportedly allowed the attackers to carry out thousands and thousands of API queries to Discord’s inside database through the Zendesk platform and retrieve additional info.
BleepingComputer couldn’t independently confirm the hackers’ claims or the authenticity of the supplied knowledge samples.
The hacker mentioned the group demanded $5 million in ransom, later decreasing it to $3.5 million, and engaged in personal negotiations with Discord between September 25 and October 2.
After Discord ceased communications and launched a public assertion in regards to the incident, the attackers mentioned they had been “extraordinarily offended” and plan to leak the info publicly if an extortion demand shouldn’t be paid.
BleepingComputer contacted Discord with extra questions on these claims, together with why they retained authorities IDs after finishing age verification, however didn’t obtain solutions past the above assertion.
Be a part of the Breach and Assault Simulation Summit and expertise the way forward for safety validation. Hear from prime specialists and see how AI-powered BAS is reworking breach and assault simulation.
Do not miss the occasion that can form the way forward for your safety technique