On October 3, 2025, Discord reported that hackers had compromised one of its third-party customer service and support providers (5CA), and allegedly stole at least 70,000 images(nuova finestra) of government-issued IDs (such as passports or driver’s licenses) used for age verification.

According to Discord, other sensitive information that was stolen includes:

  • Names, Discord usernames, email addresses, and other contact details that users provided to receive support.
  • Messages or conversation transcripts with support agents (for example, what users communicated with support teams).
  • Limited billing and payment metadata, including payment method, purchase history, and the last four digits of credit cards.
  • IP addresses associated with support interactions.
  • “Limited corporate data” such as training materials or internal presentations stored in the support system.

It also says the following types of sensitive information were not accessed:

  • Full credit card numbers and security codes (CCV)
  • Messages or activity on Discord beyond what users may have discussed with customer support
  • Passwords or authentication data

The breach apparentl(nuova finestra)y began on September 20(nuova finestra) after the attackers compromised the account of a support agent, and they had access to Discord user data for roughly 58 hours. Discord is contacting all impacted users via email at noreply@discord.com.

The motivation for the attacks appears to be entirely financial, with the hackers’ initial $5 million ransom demand later reduced $3.5 million. Discord’s spokesperson told The Verge(nuova finestra) that Discord “will not reward those responsible for their illegal actions.”

However, there are conflicting reports over the scope of the attack and who is truly at fault. The cybercrime group claiming credit for the attack, Scattered LAPSUS$ Hunters, says it stole 1.5 terabytes of data from 5.5 million users, including over 2.1 million photos of government IDs. And on October 14, 5CA, the third-party customer support service Discord alleges is responsible for the breach, (nuova finestra)denied tha(nuova finestra)t it handled government-issued IDs for Discord, or that its system was hacked (while also admitting the incident potentially resulted from human error).

So why did Discord collect photos of government IDs?

To comply with the UK’s new age verification law(nuova finestra) (and Australia’s upcoming one), Discord has been experimenting with age verification(nuova finestra) using either a face scan or a scanned ID (such as a passport or driver’s license).

Typically, Discord required a user’s selfie(nuova finestra) and then used software to scan the photo and estimate their age. Discord would then delete the photo at the end of the process. The system that was allegedly hacked was part of its appeals process.

If a user felt they were wrongly banned for being too young, they could send a photo of their government-issued ID to help prove their age. It’s this data that was allegedly stolen. And given Discord’s 200 million active users, if even a small fraction of them had to go through the appeal process, that’s potentially millions of IDs.

That a social media platform used primarily by gamers feels a need to collect this information shows how far the mission creep of age verification laws, whose stated purpose is to protect kids from pornography, has already spread.

How to protect yourself

This breach is another reminder that are we often forced to hand over sensitive data with little visibility into how it’s stored, secured, or shared. While you can’t call back data that’s already leaked, you can try to take control of what data you share going forward. Here’s how:

  • Audit where your sensitive data is: If you had to share your sensitive data (like an ID), read their privacy policy. If you no longer use that account, see if there’s an option to delete your data.
  • Use services that don’t require invasive data: This is becoming more difficult, but data that is never collected cannot be leaked. If you need a service, look for ones that are transparent(nuova finestra) about what data it collects, for what purpose, and how long it will be stored.
  • Keep data sharing to a minimum online: Even (or, given the many recent attacks focusing on support portals, especially) during support interactions, don’t share any unnecessary information. Use a VPN(nuova finestra) and email aliases whenever possible.

What this means for age verification

The need to protect children from the many online harms(nuova finestra) is real, so its understandable that governments around the world, from the EU(nuova finestra) to Australia(nuova finestra) to Canada(nuova finestra), are keen to follow the UK’s newly-enforced age verification law.

Whether such laws are the best solution to the problem is open to debate(nuova finestra), but what is certain is that data breaches have become such a daily drumbeat that we hardly even notice news headlines about yet another high-profile company leaking millions of people’s personal details.

And there has never been any reason to suppose that the uniquely sensitive age verification data would be immune from such leaks, a point dramatically proven by this incident.

This means even if you approve of age verification laws in principle, they should not be implemented before genuinely secure, decentralized, open standard solutions that genuinely respect your privacy are developed are developed and made widely available.