Discord Breach Update: Threat Actor Claims 2.1 Million Government IDs Stolen in Massive 1.5TB Data Haul

Breached Company

Breached Company

8 min read
Discord Breach Update: Threat Actor Claims 2.1 Million Government IDs Stolen in Massive 1.5TB Data Haul
Photo by ELLA DON / Unsplash

Scale of Discord Breach Far Exceeds Initial Estimates as Hackers Mock Company's "Small Number" Claim

Breaking Update - October 8, 2025 - New revelations about the Discord third-party data breach suggest the incident is significantly worse than initially reported, with threat actors claiming to have stolen over 2.1 million government identification photos totaling 1.5 terabytes of data from Discord's compromised Zendesk customer service platform.

Executive Summary

Following our initial coverage of Discord's September 20, 2025 breach, cybersecurity researchers and the threat actors themselves have disclosed alarming new details:

  • 2,185,151 government ID photos allegedly stolen - far exceeding Discord's "small number" claim
  • 1.5TB of age verification data in the hands of attackers
  • Scattered Lapsus$ Hunters identified as the responsible threat actor group
  • Threat actors publicly mocking Discord's response and threatening continued data releases
  • Leaked database tables reveal extensive user data exposure including complete identity information

The Threat Actor: Scattered Lapsus$ Hunters

Security researchers have now identified the attackers as Scattered Lapsus$ Hunters (SLH), a coalition cybercrime group combining members and tactics from three notorious hacking organizations:

  • Scattered Spider - Specialists in social engineering and IT helpdesk impersonation
  • LAPSUS$ - Known for extortion through publicity and data leaks
  • ShinyHunters - Experts in bulk data theft and underground data monetization

This alliance represents one of the most sophisticated cybercrime operations currently active, with previous high-profile attacks including:

  • Salesforce platform intrusions affecting 91 major organizations
  • Claims of stealing 1.5 billion Salesforce records from 760 companies
  • Breaches of major brands including Louis Vuitton, Qantas, Air France-KLM, and Cisco

The group operates through a Data Leak Site (DLS) on the dark web where they publish stolen data, pressure victims, and coordinate extortion campaigns.

Massive Scale Contradicts Discord's Initial Assessment

While Discord's October 3 disclosure characterized the government ID exposure as affecting "a small number" of users, cybersecurity intelligence sources paint a dramatically different picture.

According to posts from the vx-underground security research collective and verified by multiple independent sources:

"Discord is being extorted by the people who compromised their Zendesk instance. They've got 1.5TB of age verification related photos. 2,185,151 photos. 2.1m Discord users' driver's license and/or passport might be leaked."

The Numbers

  • 2,185,151 individual photo files containing government IDs
  • 1.5 terabytes of total data stolen
  • Potentially over 2 million users affected by ID exposure
  • Unknown number of email addresses and support communications compromised

These figures represent a breach scale orders of magnitude larger than Discord's initial public statements suggested, raising serious questions about transparency and the company's assessment of the incident's severity.

Threat Actors Mock Discord's Response

Screenshots circulating on Telegram and security researcher channels show Scattered Lapsus$ Hunters openly deriding Discord's characterization of the breach. The attackers posted proof-of-concept images showing:

  • Sample age verification selfies from Discord users (with faces redacted in public posts)
  • Database folder structures containing millions of ID images
  • Discord's Zendesk backend access panels
  • Internal Discord tools including Okta and Kolide administrative dashboards

The group mocked Discord's security measures, claiming that actions like disabling Okta and Kolide logins would not prevent further intrusions. They revealed details such as an alleged internal network name "SLHM" and threatened to publish additional stolen material through their Data Leak Site.

Complete Database Tables Exposed

Based on leaked information from the threat actors, the compromised database includes extensive user information tables with the following fields:

User Data Tables

  • id - Internal user identification numbers
  • username - Discord usernames
  • email - Email addresses
  • verified - Account verification status
  • location - User location data
  • premium_until - Premium subscription expiration dates
  • premium_type - Type of Discord Nitro/premium subscription
  • pending_deletion - Account deletion status
  • country - Country codes
  • phone - Phone numbers
  • mfa_enabled - Multi-factor authentication status
  • last_seen - Last activity timestamps

Leaked File Structure

The breach also exposed multiple JSON database files containing:

  • phonelog.json - Phone number records
  • subscriptions.json - Subscription and billing information
  • userinfo.json - Comprehensive user profiles
  • payments.json - Payment history and methods

This data structure reveals that the breach encompasses not just isolated support tickets, but systematic access to Discord's entire customer service backend database, including deeply sensitive personal and financial information.

Age Verification: A Honey Pot for Hackers

This breach dramatically illustrates the risks inherent in mandatory age verification systems that require government ID submission. Security experts have long warned that such databases create irresistible targets for cybercriminals.

Discord implemented stricter age verification measures to comply with regulations including the UK's Online Safety Act. However, the decision to store 2.1 million government IDs in a third-party vendor's system has now resulted in one of the largest identity document breaches in recent history.

The compromised IDs include:

  • Driver's licenses with full personal details, addresses, and license numbers
  • Passports containing passport numbers, dates of birth, and nationality information
  • State-issued ID cards with comprehensive identification data

Unlike financial data which can be cancelled and replaced, government-issued identification cannot be easily changed when compromised, leaving victims vulnerable to identity theft potentially for years.

Zendesk Identified as Compromised Vendor

Multiple sources have identified Zendesk, the popular customer service platform, as Discord's compromised third-party provider. Zendesk is widely used across the technology industry for support ticket management, making this breach potentially indicative of broader supply chain vulnerabilities.

The attackers gained access to:

  • Support agent ticket queues
  • Customer service chat histories
  • Uploaded attachments including ID documents
  • Internal Discord training materials
  • Customer billing information

Discord has not officially confirmed Zendesk as the affected vendor, but the threat actors' leaked screenshots and multiple independent security researcher assessments point to Zendesk's infrastructure as the attack vector.

The Extortion Campaign Escalates

According to security researchers tracking Scattered Lapsus$ Hunters, the group has established a pattern of using stolen data as leverage for financial extortion and public pressure campaigns. In Discord's case, the attackers:

  1. Initial ransom demand - Attempted to extort Discord for an undisclosed sum in exchange for not releasing the data
  2. Public pressure - Posted proof-of-access screenshots to Telegram channels
  3. Mocking communications - Publicly ridiculed Discord's security measures and breach disclosure
  4. Threatened escalation - Warned of releasing additional data through their Data Leak Site

The group has demonstrated this approach in previous campaigns, including their recent Salesforce attacks where they not only extorted victim companies but also threatened to cooperate with law firms pursuing litigation against Salesforce itself.

Industry experts note this represents a new evolution in cybercrime extortion tactics - moving beyond simple ransom demands to multi-layered pressure campaigns combining financial extortion, reputational damage, and regulatory threats.

Implications for Affected Users

With over 2 million users potentially having their government IDs compromised, the risk profile for affected individuals is severe:

Immediate Risks

  • Identity Theft: Stolen IDs can be used to open fraudulent bank accounts, apply for loans, or commit financial crimes
  • Synthetic Identity Fraud: Attackers can combine real ID information with fabricated details to create synthetic identities
  • Account Takeover: Email addresses and usernames enable targeted credential stuffing attacks across multiple platforms
  • Social Engineering: Detailed personal information facilitates sophisticated phishing campaigns

Long-Term Risks

  • Persistent Identity Vulnerability: Unlike passwords or credit cards, government IDs cannot be changed, leaving victims permanently vulnerable
  • Tax Fraud: Stolen Social Security numbers (if included with US IDs) enable tax return fraud
  • Medical Identity Theft: Comprehensive personal information can be used to fraudulently obtain medical services
  • Background Check Issues: If IDs are used for crimes, victims may face complications during employment or security clearances

Enhanced Protection Measures

Users who received breach notifications from Discord should immediately:

  1. Place Fraud Alerts: Contact all three major credit bureaus (Equifax, Experian, TransUnion) to place fraud alerts on credit files
  2. Consider Credit Freeze: Freeze credit files to prevent new accounts from being opened
  3. Monitor Financial Accounts: Review all bank and credit card statements for unauthorized activity
  4. Enable Identity Theft Protection: Consider enrolling in comprehensive identity theft protection services
  5. Monitor Tax Filings: File taxes early to prevent fraudulent tax returns
  6. Review Medical Statements: Watch for unauthorized medical claims or prescriptions
  7. Set Up MFA Everywhere: Enable multi-factor authentication on all critical accounts
  8. Monitor Credit Reports: Regularly check credit reports for unauthorized accounts or inquiries

Discord's Pattern of Security Incidents

This breach represents Discord's third major security incident in 2025:

July 2025

Threat actors impersonated Discord to distribute Epsilon Red ransomware, targeting Discord users through sophisticated social engineering.

August 2025

Malware campaign leveraged Discord's Content Delivery Network (CDN) for malicious payload distribution, exploiting the platform's trusted infrastructure.

September 2025

Third-party customer service breach exposing 2.1 million government IDs and comprehensive user data.

This pattern raises serious questions about Discord's security posture and vendor management practices. While the company maintains a 90%+ market share in gaming communications with over 200 million monthly active users, the frequency of security incidents suggests systemic vulnerabilities in protecting user data.

Industry Response and Regulatory Implications

Cybersecurity experts have weighed in on the severity of this breach:

Alon Gal, Chief Technology Officer at threat intelligence firm Hudson Rock, noted that the leaked database could prove valuable for law enforcement:

"If it leaks, this db is going to be huge for solving crypto related hacks and scams because scammers don't often remember using a burner email and VPN and almost all of them are on Discord."

The breach also has significant regulatory implications:

  • GDPR Violations: Potential massive fines under European data protection regulations
  • CCPA Exposure: California Consumer Privacy Act violations for affected California users
  • Class Action Risk: Likelihood of major class action lawsuits from affected users
  • Regulatory Scrutiny: Increased oversight from data protection authorities globally

Given that government-issued IDs were compromised, regulatory authorities may conduct extensive investigations into Discord's vendor management practices and data protection protocols.

What This Means for the Industry

The Discord breach highlights critical vulnerabilities in the modern digital ecosystem:

Supply Chain Security

Organizations are fundamentally only as secure as their weakest third-party vendor. Even companies with robust internal security can be compromised through vendor relationships.

Age Verification Risks

Mandatory age verification systems requiring government ID submission create honeypots of identity documents. When breached - whether through direct attacks or supply chain compromises - the consequences are catastrophic and permanent for affected users.

Vendor Management

Companies must:

  • Conduct continuous security assessments of third-party providers
  • Implement strict least-privilege access controls for vendor systems
  • Deploy robust monitoring for third-party access patterns
  • Establish clear incident response protocols for vendor breaches
  • Consider data minimization strategies to limit sensitive information sharing

Alternative Verification Methods

The industry needs to explore privacy-preserving age verification methods that don't require collecting and storing government IDs, such as:

  • Zero-knowledge proof systems
  • Decentralized identity verification
  • Third-party attestation without data storage
  • Biometric age estimation without ID submission

What Happens Next?

As of this publication, several critical questions remain:

  1. Will the data be publicly released? Threat actors have threatened to leak the data, but timing and scope remain unclear
  2. What is the full scope? Discord has not confirmed the 2.1 million figure or provided exact numbers of affected users
  3. Will there be legal action? Class action lawsuits and regulatory investigations appear likely
  4. What other companies are at risk? If Zendesk is the compromised vendor, other companies using the platform may face similar exposures

Recommendations for Discord Users

If You've Contacted Discord Support:

  1. Check Your Email: Look for official notification from [[email protected]]
  2. Assume Exposure: Even if you haven't received notification, assume your support data may be compromised
  3. Review What You Shared: Recall what information you provided in support tickets

If You Submitted Government ID:

  1. Act Immediately: Place fraud alerts and consider credit freezes
  2. Monitor Aggressively: Check financial accounts daily for unusual activity
  3. Document Everything: Keep records of your breach notification for potential legal claims

For All Discord Users:

  1. Enable Two-Factor Authentication: Use authenticator apps, not SMS
  2. Change Passwords: Use unique, strong passwords for Discord
  3. Be Wary of Phishing: Expect increased targeted phishing attempts
  4. Review Privacy Settings: Minimize information shared publicly on Discord

Conclusion

The Discord breach has evolved from a concerning third-party incident to one of the largest government ID compromises in recent history. With 2.1 million identification documents allegedly stolen and 1.5TB of data in criminal hands, affected users face years of potential identity theft risk.

This incident serves as a wake-up call for the entire technology industry about the dangers of centralized identity document storage and the critical importance of supply chain security. As regulatory requirements increasingly mandate age verification, companies must carefully balance compliance obligations with the fundamental responsibility to protect user privacy and security.

For Discord, the path forward requires not just addressing this specific breach, but fundamentally reassessing their approach to data protection, vendor management, and whether the collection of government IDs is worth the risk to their users.

About This Update

Original Breach Report: Discord Hit by Third-Party Customer Service Data Breach

Update Date: October 8, 2025

New Information Sources:

  • vx-underground security research
  • Scattered Lapsus$ Hunters public statements
  • Multiple cybersecurity researcher analyses
  • International Cyber Digest
  • Discord Previews
  • Hackread technical analysis
  • Various security intelligence platforms

Status: This is a developing story. Check back for updates as more information becomes available.

This article will be updated as new information emerges about the Discord data breach and its aftermath.

Read more

Qantas Data Breach: 5 Million Customer Records Leaked as Scattered Lapsus$ Hunters Escalate Global Extortion Campaign

Qantas Data Breach: 5 Million Customer Records Leaked as Scattered Lapsus$ Hunters Escalate Global Extortion Campaign

Major Airline Falls Victim to Sophisticated Cybercrime Coalition in Year-Long Supply Chain Attack Flagship carrier Qantas Airways has become the latest high-profile victim of an aggressive extortion campaign orchestrated by Scattered Lapsus$ Hunters, a notorious cybercriminal coalition that has targeted dozens of Fortune 500 companies in what security experts are

By Breached Company
The Apex Predator: How Industrialisation, AI, and CaaS Models Are Defining the Future of Cybercrime

The Apex Predator: How Industrialisation, AI, and CaaS Models Are Defining the Future of Cybercrime

The cybercrime ecosystem has undergone a fundamental transformation, evolving from disparate attacks into a professionalized, industrialized economy. The year 2024 marked a turning point, defined by the widespread adoption of automation, specialization, and the transformative influence of Artificial Intelligence (AI). This in-depth look examines how the industrialisation of illicit activities,

By Breached Company