Discord’s ongoing security nightmare has taken a dramatic turn after the company confirmed that a third-party breach exposed government-issued IDs submitted by users during age verification despite earlier assurances that such data would not be stored.
The company disclosed that the incident occurred on September 20, when a cyberattack targeted Zendesk, a customer support vendor that manages Discord’s service tickets and communications.
Attackers reportedly gained unauthorized access to records containing names, email addresses, Discord usernames, IP addresses, limited billing information, and conversations between users and Discord’s Trust & Safety or Customer Support teams.
Discord clarified in a message to affected users that they had not compromised any passwords, authentication data, or full credit card numbers.
However, what started as a contained breach quickly escalated into a public relations disaster when hackers began claiming they had stolen over 1.5 terabytes (TB) of data, including 2.1 million age-verification photos.
Many of these users had already completed other verification methods, such as facial scans, but were later locked out and forced to resubmit government-issued documents to regain access.
According to reports, the attackers are using this cache to extort Discord, threatening to release the data if their demands remain unmet. Discord, however, strongly disputed the hackers’ claims, accusing them of spreading misinformation to amplify fear.
According to the company, the number of exposed IDs is low, roughly 70,000 users, and all affected individuals have already been contacted.
“No Storage” Promises Under Scrutiny
The incident is pretty damaging because it directly contradicts Discord’s prior public assurances that it would not store age-verification documents. The company stated that ID photos were processed securely and immediately deleted after verification.
However, because Zendesk handled customer support requests, including appeals related to age verification, many of those IDs were automatically attached to support tickets, leaving them vulnerable to this breach.
This has resulted in widespread criticism and debate over the safety of digital age verification systems.
Discord is not alone in facing the fallout from age-verification compliance. Other major platforms such as Instagram, TikTok, and Reddit have introduced similar systems requiring users to upload ID photos or facial scans.
Discord says it has revoked the compromised vendor’s access, reset internal credentials, and is working with cybersecurity experts to contain the fallout.
They further recommend that affected users remain alert for suspicious emails or messages, enable two-factor authentication, and avoid sharing personal details on unofficial support channels.
