Hackers have reportedly stolen more than two million government ID photos from Discord’s third-party support system and are now threatening to leak them unless the company pays a ransom.
The breach, which occurred on September 20, involved the Zendesk instance of Discord, a customer service platform used by the company to handle user support and trust and security questions.
2.1 Million Passport and License Photos Leaked in Discord Vendor Hack
According to According to cybersecurity research group VX-Underground, the attackers claim to have exfiltrated 1.5 terabytes of data, including approximately 2,185,151 images associated with age verification calls.
These images consist of passports and driver’s licenses submitted by Discord users attempting to verify their age after being flagged by the platform’s automated moderation system.
In an update posted On October 3, Discord confirmed on its blog that an “unauthorized party” had accessed its remote Zendesk instance. The company said the incident affected a “limited number of users” who contacted customer service or Trust & Safety teams.
Discord emphasized that no proprietary servers had been compromised and no user passwords, private messages, or authentication credentials had been exposed.
However, the attackers’ claims go far beyond Discord’s initial description of a limited incident. VX-Underground shared screenshots of sample ID images allegedly taken from the breach, saying Discord was being extorted for the stolen data.
The leaked files reportedly contain photos of passports, driver’s licenses and other identity documents used for verification. Discord did not confirm the authenticity of the leaked samples, but acknowledged that some ID photos were among the data.
While Discord’s official disclosure attempted to minimize the scale of the incident, VX-Underground and other cybersecurity observers presented a different picture, claiming that the attackers are in possession of more than 2.1 million user verification photos.
The group also published samples of the stolen documents to substantiate their claims and confirmed that Discord is being extorted to prevent a public release.
Although Discord made it clear that full credit card numbers, CCV codes and private messages were not made public, experts warn that the stolen data could still be misused for phishing, identity theft or social engineering attacks.
The breach has reignited concerns about how digital platforms handle identity verification data. Discord users have expressed their frustration online, noting that the company previously stated that age verification information would be removed immediately upon confirmation.
Critics say the storage of job-related documents posed an unnecessary privacy risk because these images were kept on remote servers.
Discord hack fuels UK debate over digital ID plans
Security analysts say the breach exposes a recurring flaw in data handling practices: Even when companies outsource functions like customer support, sensitive information can remain public if vendors aren’t held to the same security standards.
In this case, the attackers appear to have targeted Discord’s Zendesk environment directly rather than the primary infrastructure, abusing the remote system’s access rights.
The fallout from the incident has also spilled over into wider political discussions in Britain, where the news also appeared fueled public opposition to the government’s planned national Digital ID program.
Following reports about the Discord hack, a petition was filed against the initiative surpassed 2.8 million signatures, with critics citing the breach as evidence of the dangers of centralized digital identification systems that store large amounts of sensitive data.
The Discord attack follows a series of similar intrusions targeting third-party service providers in the technology sector. Zendesk, which provides helpdesk software to many companies, has been used as a backdoor in several previous attacks.
Discord said it is now reviewing all third-party vendors and checking access rights to prevent future incidents.
As of this week, the extortionists have not disclosed the ransom amount or payment term. Law enforcement agencies in the United States and Europe are reportedly investigating the matter, but the authenticity of the hackers’ entire data set has yet to be independently verified.
The breach comes amid a renewed focus on digital identity security and user privacy. Last year, Privado ID, a spinoff of Polygon Labs, introduced a web wallet that allows users to verify their age and identity using zero-knowledge proofs, a cryptographic method that confirms personal data without exposing underlying data.
The technology is touted as a privacy-preserving alternative to traditional document uploads, such as those used in Discord’s age verification process.
The post Hackers Threaten to Leak 2.1 Million Discord User Passports and Licenses in Extortion Attacks appeared first on Cryptonews.
