I got a strange email from Discord last Friday at the very end of the work day informing me of “a recent security incident on September 20 involving your personal data.” It said personal info related to my account had been compromised, but not full credit card info or my personal address. The email made it seem like only a small number of people were impacted and simply told me to “stay alert” about any suspicious emails I might get. Suspicious? On the internet? In 2025? Good luck! Nearly a week late it’s becoming clear that this “limited access” hack of a “third-party customer service system used by Discord” is a much bigger deal than it originally seemed.
“A small number of government‑ID images (e.g., driver’s license, passport) from users who had appealed an age determination” were included in the leak, Discord informed users like me last week. According to a new report by 404 Media, the hackers responsible gloated in a Telegram group that they actually had 1.5TB of users’ personal data. Discord admitted to The Verge last night that it actually believes up to 70,000 users may have had their government IDs breached. There’s already a class-action lawsuit being filed in California.
One of the big culprits in this entire mess is legislation like the UK’s controversial Online Safety Act which requires users to prove to platforms that they’re 18 years or older using selfies and government IDs. In the era of a $1 trillion generative AI deal-industrial complex, that feels like potentially putting your entire identity up for grabs on the internet. “Online ID checks may seem like a common-sense solution, but that facade hides a much darker truth: lawmakers are pressuring companies to implement surveillance and censorship tactics and it’s putting all of us in danger,” anti-surveillance campaigner Sarah Philips told Kotaku in an email.
Chat, we are cooked
Discord is being extorted by the people who compromised their Zendesk instance
They’ve got 1.5TB of age verification related photos. 2,185,151 photos
tl;dr 2.1m Discord users drivers license and/or passport might be leaked. Unknown number of e-mails
— vx-underground (@vxunderground) October 8, 2025
As 404 Media reports, the hackers have been threatening the popular social gaming platform with partial releases of its trove of sensitive data, which includes everything from partial phone numbers to the last time a given user was seen on Discord. The samples reportedly include screengrabs of thumbnails of users’ identification selfies as well as a help desk ticket that seemingly belongs to alleged Charlie Kirk shooter Tyler Robinson.
How did the hackers get this data to begin with? A spokesperson for ZenDesk, the third-party customer service company supporting Discord, told 404 Media its systems were “not compromised.” Infosec account vx-underground was told the breach came via an outsourced support agent.
“All affected users globally have been contacted and we continue to work closely with law enforcement, data protection authorities, and external security experts,” Discord spokesperson Nu Wexler told The Verge earlier this week. “We’ve secured the affected systems and ended work with the compromised vendor. We take our responsibility to protect your personal data seriously and understand the concern this may cause.”
Discord did not immediately respond to a request for comment on the claims it’s being extorted or the vulnerability that led to the hack.
