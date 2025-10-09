Discord has firmly stated it will not pay ransom demands from threat actors claiming to have stolen data from its Zendesk support system. The hackers allege that they were able to access personal information from 5.5 million unique users, including partial payment data and government ID images.

Discord however has disputed these numbers, clarifying that approximately 70,000 users had their ID photos exposed, and not the 2.1 million previously claimed by attackers. The company emphasized that this was not a breach of Discord’s own systems, but rather of a third-party service provider used for customer support.

Discord’s Official Response

In its public statement, Discord said:

“This was not a breach of Discord, but rather a third-party service we use for customer support.”

The company added that the figures that are circulating online are inaccurate and part of an extortion attempt. “We will not reward those responsible for their illegal actions,” Discord stated.

Discord was able to identify 70,000 impacted users whose government ID photos were stored by the vendor to verify their ages. The company has assured users that their internal systems remain secure and their security intact.

How the Attack Allegedly Happened

The hackers claimed that the breach occurred through Discord’s Zendesk instance, where they claim to have maintained access for 58 hours starting September 20, 2025. They claim that the entry was not gained through a vulnerability, but rather via a compromised account which belonged to a support agent employed through an outsourced BPO provider.

This attack highlights the growing risk of third-party and outsourced service breaches. BPO employees, who often handle sensitive support data, have become attractive targets for cybercriminals seeking indirect access to larger corporate systems. BPOs are easy targets for hackers because they often maintain legitimate network and service access to multiple client organizations. Many smaller providers also rely on outdated systems or delay critical security updates, creating exploitable vulnerabilities. By compromising even a single vendor, attackers can easily target multiple clients at once, amplifying their impact and achieving a much larger “blast radius” than by attacking each organization individually.

What the Hackers Claim to Have Stolen

The hackers claim that access to Discord’s internal Zendesk instance gave them control of a support tool known as Zenbar. Through this tool, they could theoretically disable multi-factor authentication, and view users’ email addresses, phone numbers, and account activity.

They claim to have stolen 1.6 terabytes of data, including 1.5 TB of ticket attachments and 100 GB of transcripts. The hackers assert that this covers 8.4 million support tickets, affecting 5.5 million users, with 580,000 cases involving some level of payment data.

Data Exposed in the Breach

The leaked dataset reportedly includes email addresses, Discord IDs, usernames, phone numbers, partial payment details, and date of birth. Some records may also contain MFA tokens and internal activity logs.

Attackers claim that Zendesk’s integration with Discord’s internal systems automatically enabled millions of unauthorized API queries, which may have exposed additional user information. However, numerous independent outlets that were following the case could not verify these claims, or confirm the authenticity of the data.

Ransom Demands and Fallout

The hacking group initially demanded a $5 million ransom, and later reduced it to $3.5 million during negotiations with Discord between September 25 and October 2. After Discord stopped responding and issued a public statement, the hackers expressed anger and threatened to leak the data publicly if payment was not made.

Discord has refused to give in to this extortion attempt, and has stood its ground. It reassures users again and again that its security measures remain strong. However, the company has not yet commented further on why government ID photos were retained after age verification.

Conclusion: Risks of Third-Party Breaches

This incident underscores a growing issue in cybersecurity; the vulnerability of third-party service providers. Many major companies now rely on external BPOs for IT and customer support to save costs, which can create indirect entry points for attackers. As discussed earlier, these BPOs often lack the security measures needed to stop cyberattacks of this scale effectively.

Experts warn that organizations should strengthen vendor security audits, limit data retention policies, and enforce multi-layer authentication across all integrated systems to prevent similar breaches in the future. An attack on one single vendor can potentially lead to data breaches for hundreds of clients, many of whom are large-scale international organizations.

While Discord continues its investigation, this case serves as a stark reminder that no organization is truly 100% safe, and data security is only as strong as the weakest link in the supply chain. If that link collapses, so does the supply chain.