Discord Confirms Data Breach and Notifies Affected Users

The popular messaging app Discord confirmed last week that it had suffered a data breach. Malicious actors accessed sensitive information through a third-party service, stealing an unknown number of users’ private data, such as government IDs, names, and addresses.

According to The Guardian, Discord — an online platform with over 200 million active monthly users — confirmed it had suffered a data breach and that malicious actors had requested a ransom.

The platform stated that hackers ​​“also gained access to a small number of government ID images (e.g., driving license, passport) from users who had appealed an age determination,” and that it would notify affected users whose private data had been compromised. The company had been requiring users’ IDs to verify their ages.

According to one of the users affected who shared their experience in Forbes, Discord provided a few more details in the message sent to the victims.

“We’re reaching out to you because of a recent security incident on September 20 involving your personal data,” wrote Discord in the email. “An unauthorized party targeted our third-party customer support services to access user data.”

Discord mentioned that hackers accessed limited financial information, such as the last four digits of credit cards and payment history, as well as IP addresses and messages related to interactions with the customer support service.

According to Bleeping Computer, the threat group The Scattered Lapsus$ Hunters (SLH) claimed responsibility for the attack. They said that they got access through the customer service software Zendesk. However, the case is still under investigation.

Discord had recently been affected by another vulnerability. Earlier this year, a flaw in Cloudflare's Content Delivery Network allowed malicious actors to reveal a user’s location by sending an image. Discord was one of the platforms affected by the vulnerability.