Discord Data Breach: 70,000 Government IDs Exposed After Third-Party Hack

Ethan Cole
Ethan Cole I’m Ethan Cole, a digital journalist based in New York. I write about how technology shapes culture and everyday life — from AI and machine learning to cloud services, cybersecurity, hardware, mobile apps, software, and Web3. I’ve been working in tech media for over 7 years, covering everything from big industry news to indie app launches. I enjoy making complex topics easy to understand and showing how new tools actually matter in the real world. Outside of work, I’m a big fan of gaming, coffee, and sci-fi books. You’ll often find me testing a new mobile app, playing the latest indie game, or exploring AI tools for creativity.
4 min read 113 views
Discord Data Breach: 70,000 Government IDs Exposed After Third-Party Hack

Discord has confirmed a third-party data breach that exposed around 70,000 government ID photos — far fewer than the 2.1 million claimed by hackers.
The company says it has refused to pay a $3.5 million ransom and has ended all contact with the attackers.

The Discord data breach underscores growing cybersecurity risks tied to third-party vendors. As tech platforms depend more on external partners for customer support and verification, securing those integrations becomes increasingly critical.

How the Discord data breach happened

The incident occurred on September 20, 2025, when hackers gained unauthorized access to a third-party customer support system used by Discord. Through that breach, they obtained access to personal data such as names, email addresses, contact details, limited payment information, and government ID documents used for age verification.

However, Discord clarified that its core platform was not compromised. No user passwords or account credentials were exposed.
Instead, the stolen data came from a third-party vendor, making this a supply-chain attack rather than a direct platform hack.

This distinction matters. While the data exposure is serious, the Discord infrastructure and authentication systems remain intact. The incident highlights the danger of depending on external services for critical user functions.

Discord refuses ransom and disputes hacker claims

In a public statement, Discord confirmed it refused to pay the demanded ransom.

“We will not reward those responsible for their illegal actions,” the company said.

Hackers initially demanded $5.5 million, later reducing it to $3.5 million after weeks of failed negotiations. Discord chose to sever all communications instead of complying.

The company also challenged the attackers’ inflated claims.
According to Discord, only 70,000 users’ government ID photos were exposed — not the 2.1 million claimed by the hackers.

“This was not a breach of Discord itself but a third-party service used to support our customer service efforts,” the statement added.

This discrepancy raises familiar questions in cybersecurity. Threat actors often exaggerate data volumes to pressure companies into paying, while victims may understate impact to control public perception.

Hackers claim millions of records compromised

Hackers told security researchers a very different story. They claimed to have accessed over 8.4 million support tickets linked to 5.5 million users.
They also said they held more than 521,000 government ID verification tickets, though they admitted their earlier “2.1 million” figure was inflated.

Samples of the stolen data were reportedly shared with researchers. However, the full scope of the exposure has not been independently verified.

Why the Discord data breach matters

This case is another reminder that even secure platforms can be compromised through third-party systems.
Customer support platforms often hold sensitive information, including ID documents used for verification and dispute resolution.

As privacy laws such as GDPR and state regulations evolve, companies are increasingly held responsible for third-party data incidents. This puts extra pressure on tech firms to audit their vendors and enforce stronger security requirements.

For users, the breach highlights an uncomfortable truth: their personal data might exist in systems beyond the platform they trust. Age verification files or ID photos could be stored on multiple servers, each with different security standards.

Discord’s response and future implications

Discord’s choice to reject ransom demands aligns with guidance from law enforcement and cybersecurity experts, who warn that payments rarely guarantee safety. Paying may even encourage future attacks.

While this stance could result in leaked data, it also sends a clear message — no compromise with cybercriminals.
The company has not yet announced whether it will offer identity protection for affected users.

As the investigation continues, experts expect platforms to re-examine vendor contracts and apply stricter data handling policies. For users, staying alert to phishing or identity theft attempts remains crucial.

Read also

Join the discussion in our Facebook community.

Share this article: