Messaging platform Discord recently informed its user base that a cyberattack against one of its third-party providers resulted in the potential leak of approximately 70,000 users’ personal information. The platform first drew attention to the cyberattack in a blog post on its website on October 3, 2025.
The blog post, updated on October 8, said the information leaked could include official government ID photos, names, contact details, partial credit card details and IP addresses.
The blog post adds that the company took “immediate steps” to respond to the attack as soon as it occurred, including revoking the third-party vendor’s access to its system. The company is also cooperating with law enforcement regarding an investigation, with the blog post adding:
“Recently, we discovered an incident where an unauthorized party compromised one of Discord’s third-party customer service providers. The unauthorized party then gained access to the information of a limited number of users who had contacted Discord through our customer support and/or trust and security teams.”
“As soon as we became aware of this attack, we took immediate action to remediate the situation. This included revoking the customer support provider’s access to our ticketing system, initiating an internal investigation, engaging a leading cyber forensics firm to support our investigation and remediation efforts, and engaging law enforcement.”
Potentially leaked information included customer names, Discord usernames, contact details, email addresses, “limited billing information such as payment type, last four digits of your credit card, and purchase history if associated with your account,” IP addresses, messages with customer service agents, limited company data, and government ID images of users boundaries.
The company added that all payment details, messages between users and other activities beyond discussions with customer service agents, as well as passwords or authentication data were not disclosed. The company would contact affected users via email based on the ID. noreply@discord.com.
According to the BBC, Zendesk, one of the messaging platform’s customer service software providers, told the publication that “its systems had not been compromised.” Additionally, the messaging platform also responded to online rumors that the cyberattack could be bigger than what has been revealed.
A spokesperson for the company denied the accusations in a statement to the BBC, adding that the claims were “part of an attempt to extort payment.”
“We will not reward those responsible for their illegal actions,” the spokesperson continued.
Discord recently implemented facial scanning to verify age in the UK and Australia.
In April 2025, Discord recently rolled out a new strategy to ensure user age verification in the UK and Australia. The minimum age required to create a Discord account is 13 years old. The new age verification on the messaging platform came after the UK passed the Online Safety Act to ensure “robust” age checks for users to access adult content.
The experimental verification method, carried out by third-party company k-ID, requires users to scan their face or present a photo ID card. The company reassured users that the information is for one-time verification, adding that it does not store any biometric data.
However, users have found a loophole to bypass age verification. According to a July 2025 article on PC Gamer, users began using Death Stranding 2: On the Beachto bypass age verification by pointing the camera at a photo mode portrait of the character Sam Porter Bridges (played by Norman Reedus).
The platform’s age verification system requires users to open/close their mouth for verification, which can be done on Dead Standing scanning the facial expressions of the bridges.
Discord has yet to close the age verification loophole as of this writing.
Edited by Juhi Marzia
