Discord data breach exposes user support tickets to hackers
▼ Summary
– Hackers stole partial payment info and personal data including names and government IDs from Discord users by compromising a third-party customer service provider on September 20.
– The breach affected a limited number of users who interacted with Discord’s customer support and exposed data such as email addresses, IP addresses, and photos of government IDs.
– Discord responded by isolating the provider, launching an investigation with forensics experts, and engaging law enforcement after the hackers demanded a ransom.
– The Scattered Lapsus$ Hunters group claimed responsibility, stating they accessed Discord user data through a Zendesk breach.
– Security experts warn the stolen data could help solve crypto hacks and scams, as it contains extensive identity information often used by scammers on Discord.
A recent security incident at Discord has exposed sensitive user information after hackers infiltrated a third-party customer support provider. The breach, occurring on September 20th, impacted a limited subset of users who had submitted tickets to Discord’s customer support or Trust and Safety departments. While Discord initially served the gaming community, its platform now supports over 200 million monthly active users across diverse interest groups through text, voice, and video communication features.
The attackers obtained unauthorized entry into the external customer service platform Discord employs. Upon discovery, Discord moved swiftly to contain the situation by cutting off the provider’s access to its ticketing infrastructure. The company also initiated an internal probe, enlisted a top-tier digital forensics team to assist with the investigation and recovery, and notified law enforcement agencies. The hackers demanded a ransom from Discord, threatening to publicly release the stolen data if their financial demands were not met, indicating a clear profit-driven motive.
Compromised information includes a range of personally identifiable details such as users’ actual names, usernames, email addresses, and additional contact information shared with support staff. Also exposed were IP addresses, the content of messages sent to support agents, and any file attachments included in those communications. For a small group, the breach extended to images of official identification like driver’s licenses or passports. Even partial billing data was accessed, covering the type of payment method, the final four digits of credit card numbers, and records of past purchases linked to the affected accounts.
The VX-Underground security collective highlighted the severity of this exposure, noting that the stolen data effectively constitutes a person’s complete identity. Alon Gal, CTO of Hudson Rock, a threat intelligence firm, suggested that if this database is leaked, it could become an invaluable resource for tracing cryptocurrency-related fraud and hacking incidents. He explained that many scammers active on Discord often neglect basic operational security, failing to consistently use untraceable email addresses and virtual private networks.
The exact number of impacted users remains undisclosed, and Discord has not revealed the identity of the third-party vendor or the specific method used to gain access. However, the cybercriminal faction known as Scattered Lapsus$ Hunters (SLH) has publicly taken credit for the attack. Evidence shared by the group includes a screenshot of a Kolide access control list pertaining to Discord staff with administrative console permissions. Kolide is a security tool that integrates with Okta’s cloud identity management system to enforce multi-factor authentication.
SLH informed BleepingComputer that the intrusion was made possible by a breach at Zendesk, the customer service software provider, which allowed them to exfiltrate the Discord user data. Discord has not yet provided additional comments in response to media inquiries. This incident echoes a broader pattern of third-party service compromises; recently, the ShinyHunters extortion group allegedly stole over 1.5 billion records from hundreds of companies by exploiting stolen OAuth tokens from Salesloft Drift. The group has since established a dedicated leak site listing dozens of affected organizations.
(Source: Bleeping Computer)
