Discord third-party breach exposes user data and government IDs

On October 3, 2025, Discord announced a security incident involving one of its third-party customer service providers. 

What happened 

An unauthorized party allegedly gained access to data from a limited number of users who had interacted with Discord’s Customer Support or Trust & Safety teams. The information exposed included names, Discord usernames, email addresses, limited billing details such as payment type and the last four digits of credit cards, IP addresses, messages exchanged with support agents, and a small number of government ID images, including driver’s licenses and passports, from users who submitted documents for age verification. 

No full credit card numbers, CCV codes, passwords, or other account activity outside support communications were accessed. The breach appears to have been motivated by an attempt to extort financial gain from the unauthorized access.

What was said

According to the notice of security incident released on the Discord website, “As soon as we became aware of this attack, we took immediate steps to address the situation. This included revoking the customer support provider’s access to our ticketing system, launching an internal investigation, engaging a leading computer forensics firm to support our investigation and remediation efforts, and engaging law enforcement.”

The company response

The company initiated an internal investigation and engaged a leading computer forensics firm to assist in assessing the breach's scope and implementing remediation measures. 

Discord also notified relevant data protection authorities and is collaborating with law enforcement to investigate the incident further. The company is in the process of notifying affected users via email, providing them with information about the breach and guidance on protective measures.

Beyond these immediate actions, Discord has committed to reviewing and enhancing its threat detection systems and security controls for third-party support providers. 

Why it matters 

Providers may not even be aware of all the third-party vendors touching their data, making the risk invisible until a breach occurs. Incidents involving third parties can expose millions of records in a single breach. The Episource breach, for example, affected 5.4 million individuals. A single phishing email targeting a vendor can result in a multi-site exposure, which is particularly devastating for rural providers who rely heavily on outside partners for needed services.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

How do third-party breaches happen?

Breaches often occur due to phishing attacks, weak passwords, unpatched software vulnerabilities, insider threats, or misconfigured systems within the third-party organization. Healthcare data is particularly targeted because of its high value on the black market.

What kind of data can be exposed?

Exposed information may include patient names, addresses, dates of birth, Social Security numbers, medical records, insurance information, billing details, and even login credentials. The exact data depends on the third-party system affected.

Are healthcare organizations liable for breaches caused by third parties?

Yes. Under HIPAA, healthcare organizations remain responsible for safeguarding PHI even when a third party (business associate) is involved. T