Hackers have reportedly stolen more than two million government identification photos from Discord’s third-party support system and are now threatening to leak them unless the company pays a ransom.
The breach, which occurred on September 20, involved Discord’s Zendesk instance, a customer service platform used by the company to handle user support and trust-and-safety inquiries.
2.1M Passport and License Photos Leaked in Discord Vendor Hack
According to cybersecurity research group VX-Underground, the attackers claim to have exfiltrated 1.5 terabytes of data, including approximately 2,185,151 images tied to age verification appeals.
These images consist of passports and driver’s licenses submitted by Discord users attempting to verify their age after being flagged by the platform’s automated moderation system.
In an update posted to its blog on October 3, Discord confirmed that an “unauthorized party” had accessed its third-party Zendesk instance. The company said the incident affected a “limited number of users” who had contacted its Customer Support or Trust & Safety teams.
Discord emphasized that its own servers were not breached, and no user passwords, private messages, or authentication data were exposed.
However, the attackers’ claims go far beyond Discord’s initial description of a limited incident. VX-Underground shared screenshots of sample ID images allegedly taken from the breach, saying Discord was being extorted for the stolen data.
The leaked files reportedly include photos of passports, driver’s licenses, and other identity documents used for verification. Discord has not confirmed the authenticity of the leaked samples but acknowledged that some ID photos were among the data accessed.
While Discord’s official disclosure sought to minimize the scale of the incident, VX-Underground and other cybersecurity observers presented a different picture, alleging that the attackers are in possession of over 2.1 million user verification photos.
The group also published samples of the stolen documents to substantiate their claims and confirmed that Discord is being extorted to prevent a public release.
Although Discord clarified that full credit card numbers, CCV codes, and private messages were not exposed, experts warn that the stolen details could still be exploited for phishing, identity theft, or social engineering attacks.
The breach has reignited concerns over how digital platforms handle identity verification data. Discord users have expressed frustration online, noting that the company previously stated age verification information would be deleted immediately after confirmation.
Critics say the storage of appeal-related documents created an unnecessary privacy risk, as these images were kept on external servers.
Discord Hack Ignites UK Debate Over Digital ID Plans
Security analysts say the breach highlights a recurring flaw in data-handling practices: even when companies outsource functions like customer support, sensitive information can remain exposed if vendors are not held to the same security standards.
In this case, attackers appear to have targeted Discord’s Zendesk environment directly rather than its primary infrastructure, taking advantage of the external system’s access privileges.
The fallout from the incident has also spilled into broader political discussions in the United Kingdom, where the news has fueled public opposition to the government’s planned national Digital ID program.
Following reports of the Discord hack, a petition opposing the initiative has surpassed 2.8 million signatures, with critics citing the breach as proof of the dangers of centralized digital identification systems that store large volumes of sensitive data.
The Discord attack follows a series of similar intrusions targeting third-party service providers across the tech industry. Zendesk, which provides helpdesk software to numerous firms, has been used as a backdoor in several past attacks.
Discord said it is now reviewing all external vendors and auditing access permissions to prevent future incidents.
As of this week, the extortionists have not disclosed the ransom amount or the deadline for payment. Law enforcement agencies in the United States and Europe are reportedly investigating the case, but the authenticity of the hackers’ full dataset has yet to be independently verified.
The breach comes amid a renewed focus on digital identity security and user privacy. Last year, Privado ID, a spin-off from Polygon Labs, introduced a web wallet that allows users to verify their age and identity using zero-knowledge proofs, a cryptographic method that confirms personal details without exposing underlying data.
The technology has been touted as a privacy-preserving alternative to traditional document uploads like those used by Discord’s age verification process.
The post Hackers Threaten to Leak 2.1M Discord Users’ Passports, Licenses in Extortion Attack appeared first on Cryptonews.
