Discord has publicly refused to pay a ransom to cybercriminals who claim they stole data on 5.5 million users. The company maintains the exposure is far smaller—about 70,000 users—and stems from a third‑party customer support vendor whose account was compromised on September 20, 2025.
Official statement: vendor compromise and preliminary impact
Discord says the incident was not a breach of its core platform. Instead, an external business process outsourcing (BPO) provider used for handling support tickets was compromised. The company reports it rapidly isolated the vendor from its ticketing systems and launched an investigation.
According to Discord’s initial assessment, the exposed data primarily involves ID documents (such as driver’s licenses or passports) submitted by a limited set of users for age verification. The company estimates the potentially affected cohort at roughly 70,000 users and characterizes the attackers’ numbers as part of an extortion tactic.
Attackers’ claims: 1.6 TB of tickets, 5.5M users, and support tool privileges
As reported by BleepingComputer, a group styling itself Scattered Lapsus$ Hunters—purporting links to Scattered Spider, LAPSUS$, and ShinyHunters—claims they obtained access by hijacking a support employee’s credentials at the BPO. They say access persisted for about 58 hours starting on September 20, targeting an instance variously associated in media reports with Zendesk.
The group alleges it exfiltrated around 1.6 TB of data covering more than 8.4 million tickets across 5.5 million unique users, and that a subset of tickets—about 580,000—contained partial payment information. They further claim access to an internal support app called Zenbar, which they say exposed phone numbers, emails, and allowed sensitive actions such as disabling MFA. BleepingComputer notes it has not independently verified these claims or samples.
Expert analysis: third‑party risk, BPO accounts, and over‑privileged support tools
The case underscores classic third‑party/supply‑chain risk: a contractor’s compromise can yield sensitive data even when the primary platform remains intact. Similar dynamics were seen in the Okta customer support incident (2023), where support tooling and uploaded artifacts became a pivot point for threat actors.
Controls that reduce this blast radius include phishing‑resistant MFA (FIDO2/WebAuthn), strong device binding and conditional access, and a Zero Trust posture that continuously verifies user, device, and context. For support workflows, enforce least privilege, strict segmentation between ticketing and production, and just‑in‑time (JIT) elevation via PAM with short-lived credentials.
Organizations should also monitor and alert on sensitive support actions—for example, viewing government IDs, resetting passwords, or disabling MFA—with immutable logging and rapid response playbooks. Where identity documents are processed, apply application‑level encryption, tokenization, and minimal data retention, and keep such artifacts segregated from ticket systems to lower regulatory and breach risks (e.g., GDPR/CCPA exposure).
Extortion timeline and Discord’s response
Media reports indicate the ransom demand started at $5 million and later dropped to $3.5 million, with negotiations allegedly running from September 25 to October 2, 2025. After Discord publicly challenged the attackers’ assertions and halted contact, the group threatened to publish data. Discord states it will not “incentivize criminal activity” and continues to investigate while the vendor remains isolated.
What Discord users should do now
Users who interacted with support or completed age verification should enable and re‑check MFA (preferably passkeys or authenticator apps), rotate passwords/passkeys unique to Discord, and watch for phishing via email or SMS. Consider enabling card transaction alerts and using a document monitoring or credit freeze where available. If Discord issues formal notices, follow instructions carefully, including any guidance on ID document replacement.
The situation remains fluid, and the gap between Discord’s estimate and the attackers’ claims highlights how vendor access and support tooling can become high‑value targets. Strengthening Zero Trust controls, enforcing JIT and least‑privilege access for support teams, and minimizing the storage of highly sensitive ID artifacts can substantially reduce impact—regardless of how large the numbers in an extortion note may be.
