Hackers Threaten to Expose 2.1 Million Discord Users’ Passports and Licenses in Extortion Attack
Hackers have reportedly stolen over 2 million government ID photos from Discord’s third-party support system and are now threatening to expose them unless the company pays a ransom. The breach occurred on September 20 and affected Discord’s Zendesk instance, a customer service platform the company uses to handle user support and trust and security requests.
According to cybersecurity research group VX-Underground, the attackers claim to have exfiltrated 1.5 terabytes of data, including approximately 2,185,151 images related to age verification appeals. These images are passports and driver’s licenses submitted by Discord users attempting to verify their age after being flagged by the platform’s automated moderation system.
Discord’s Response and the Extortion Threat
Discord confirmed that an “unauthorized party” had accessed a third-party Zendesk instance, affecting a “limited number of users” who contacted customer service or Trust & Safety teams. However, the attackers’ claims go far beyond Discord’s initial description of a limited incident. VX-Underground shared screenshots of sample ID images allegedly taken in the breach, noting that Discord was being blackmailed over the stolen data.
The leaked files reportedly include photos of passports, driver’s licenses, and other identity documents used for verification. Discord has not confirmed the authenticity of the leaked samples, but acknowledged that some ID photos were among the data retrieved. While Discord’s official disclosure aimed to minimize the scale of the incident, VX-Underground and other cybersecurity observers presented a different picture, claiming that the attackers were in possession of over 2.1 million user verification photos.
Implications and Concerns
The breach has renewed concerns about how digital platforms handle identity verification data. Discord users have expressed their dissatisfaction online, pointing out that the company had previously stated that age verification information would be deleted immediately after confirmation. Critics say storing documents related to the complaint poses an unnecessary risk to privacy because those images are stored on external servers.
Security analysts say the breach highlights a recurring flaw in data processing practices: Even when companies outsource functions like customer support, sensitive information can still be exposed if providers don’t adhere to the same security standards. The fallout from the incident has also sparked broader political discussions in the United Kingdom, where the news has fueled public opposition to the government’s planned national digital ID program.
For more information on this incident, visit https://cryptonews.com/news/hackers-threaten-to-leak-2-1m-discord-users-passports-licenses-in-extortion-attack/
