On October 9, 2025, Discord issued an update regarding the security incident involving its third-party customer service provider, 5CA, providing clarification on the scope and aftermath of the breach.
What happened
The update confirmed that approximately 70,000 users had data exposed due to unauthorized access at 5CA, but emphasized that Discord’s own systems were not compromised. The company detailed the types of information involved, including names, usernames, email addresses, limited billing information, IP addresses, and a small number of government-issued ID images used for age verification.
Discord also outlined the steps it had taken since discovering the incident: revoking 5CA’s access to its ticketing system, initiating a forensic investigation, notifying relevant data protection authorities, collaborating with law enforcement, and contacting affected users via email.
The backstory
On October 3, 2025, Discord announced a security incident involving one of its third-party customer service providers. An unauthorized party allegedly gained access to data from a limited number of users who had interacted with Discord’s Customer Support or Trust & Safety teams.
The information exposed included names, Discord usernames, email addresses, limited billing details such as payment type and the last four digits of credit cards, IP addresses, messages exchanged with support agents, and a small number of government ID images, including driver’s licenses and passports, from users who submitted documents for age verification.
See also: Discord third-party breach exposes user data and government IDs
What was said
According to the update, “This was not a breach of Discord, but rather a breach of a third party service provider, 5CA, that we used to support our customer service efforts.’
What it means for Discord
While Discord asserts that the breach was due to a third-party vendor's compromise, it acknowledges its responsibility to protect user data. The company is reviewing its third-party security protocols and has notified relevant data protection authorities. This incident reinforces the need for security measures when outsourcing services that handle sensitive user information. The breach has led to Discord severing its relationship with 5CA by revoking their access to Discord's systems.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What is a third-party breach?
A third-party breach occurs when an external vendor, contractor, or service provider that has access to a company’s systems or data is compromised.
Who is responsible for a third-party breach?
Responsibility is shared. The third-party is directly responsible for securing its systems. However, the company that outsourced services (e.g., Discord) is responsible for selecting trustworthy vendors, enforcing security standards, and notifying affected users if data is exposed.
Are companies absolved if the breach is caused by a third-party?
No. While liability may be mitigated if the breach occurred solely on a vendor’s side, companies still have legal and ethical obligations to protect data, notify affected individuals, and strengthen third-party controls.
Kirsten Peremore
