Messaging app Discord has disclosed that a data breach involving a third-party customer support vendor has exposed personal information, including government IDs.
The messaging app stressed that the breach did not involve its systems and only affected a limited number of users who had communicated with customer service and trust and safety teams.
“Recently, we discovered an incident where an unauthorized party compromised one of Discord’s third-party customer service providers. The unauthorized party then gained access to information from a limited number of users who had contacted Discord through our Customer Support and/or Trust & Safety teams.”
Discord says the threat actor was contained, and it has taken additional steps to limit access to user data and enhance its cyber defenses.
Discord confirms data breach leaked government IDs
While Discord says it prides itself on data security, it says the data breach leaked government IDs used for age-related appeals. According to its statement posted on its website, the data breach affected approximately 70,000 users.
Details leaked included users’ names, Discord usernames, and contact information, such as email addresses. The data breach also leaked billing information, such as billing type, the last four credit card numbers, and purchase history. Users’ IP addresses, messages with customer support agents, limited corporate data, and a small number of government IDs were also illegally accessed.
However, the company assured its customers that the data breach did not expose their messages beyond what they had shared with customer support and safety staff.
The messaging app also stressed that the data breach did not leak full credit card numbers and CVVs, which could allow fraudsters to empty their accounts. However, cybercriminals could use stolen government IDs to register financial accounts in their names, in some cases.
In addition, the company revoked the breached third party’s access to its ticketing system, thus limiting the threat actor’s access to its user data.
It also launched an investigation involving third-party cyber forensics, notified law enforcement, and sent data breach notification letters to the affected customers. The company is also actively working with law enforcement to investigate the data breach.
Moreover, Discord promised to continue vetting its third-party partnerships and review its threat detection mechanisms and vendors’ security controls to ensure a similar data breach does not recur in the future.
“Discord has and will continue to take all appropriate steps in response to this situation. As standard, we will continue to frequently audit our third-party systems to ensure they meet our security and privacy standards,” the company said.
The messaging app also advised impacted customers to remain vigilant for suspicious messages from people purporting to work for the company.
Usually, reputable companies do not request login or credit card information over the internet. With their government IDs leaked, users should also be on the lookout for potential fraud by monitoring their accounts and credit reports.
However, leaked government IDs could enable cybercriminals to steal people’s identities when registering for various online services that require KYC verification.
“Identity verification has become a key component in both Know Your Customer (KYC) and Know Your Employee (KYE) scenarios,” said Darren James, a Senior Product Manager at Specops Software. “These requirements stem from recent legislation mandating that service providers make reasonable efforts to validate that their users are who they claim to be.”
Meanwhile, Discord also apologized for the distress that impacted users experienced as a result of the unfortunate data breach.
