A Discord third-party breach leaked government ID photos from over 70,000 users. Attackers targeted Zendesk, a vendor managing customer support and ID verification for Discord. The Scattered LAPSUS$ Hunters group claimed responsibility for the attack. This case highlights the dangers of outsourcing sensitive data handling to external providers.
How the Breach Happened
Attackers compromised Zendesk, the vendor Discord used for support and ID verification. They gained access to the vendor’s database, which stored user IDs and verification details.
Discord confirmed that its main systems remained secure. After detecting the breach, the company immediately cut the vendor’s access and launched an investigation.
The attackers infiltrated Zendesk’s infrastructure by exploiting weak access controls and poor security configurations.
Scope of the Data Exposure
The attackers claim they collected data from 5.5 million users, though Discord verified about 70,000 confirmed ID exposures. The stolen data included:
- Full names and Discord usernames
- Email addresses and IP logs
- Government ID photos used for verification
- Partial payment details and ticket attachments
Scattered LAPSUS$ Hunters also boasted about stealing 521,000 age-verification tickets, suggesting a broader impact than Discord reported.
The Role of Scattered LAPSUS$ Hunters
The Scattered LAPSUS$ Hunters group, known for attacking major tech firms, took credit for the breach. The hackers said they controlled Discord’s Zendesk environment for nearly 60 hours. During that time, they disabled multi-factor authentication and downloaded over 1.5 TB of internal data.
This group typically combines social engineering with targeted exploits to bypass vendor security measures.
Third-Party Security Risks
Cybersecurity experts warn that this Discord third-party breach illustrates the risk of trusting vendors with sensitive information. When external providers store personal data, they become prime targets for attackers.
Government ID data is especially dangerous to lose—it cannot be replaced or reissued once exposed. Experts say companies must monitor vendors as rigorously as their internal systems.
Discord’s Response
Discord quickly revoked the vendor’s access and notified law enforcement. The company is also informing affected users directly. Security teams are now reviewing how vendors handle ID verification and ticket storage.
Discord stated that it plans to strengthen vendor oversight and reduce how much sensitive data third parties can store.
Conclusion
The Discord third-party breach shows that even indirect vulnerabilities can expose users to major privacy risks. Attackers exploited a single vendor to compromise thousands of government IDs. Companies relying on external providers must enforce stronger security audits and tighter access policies to prevent similar incidents.
0 responses to “Discord Third-Party Breach Exposes 70,000 Government IDs”