A catastrophic breach has impacted Discord user data including selfies and identity documents uploaded as part of the app’s verification process, email addresses, phone numbers, approximately where the user lives, and much more.
The hack, carried out by a group that is attempting to extort Discord, shows in stark terms the risk of tech companies collecting users’ identity documents, and specifically in the context of verifying their age. Discord started asking users in the UK, for example, to upload a selfie with their ID as part of the country’s age verification law recently.
“This is about to get really ugly,” the hackers wrote in a Telegram channel, which 404 Media joined, while posting user data on Wednesday. A source with knowledge of the breach confirmed to 404 Media that the data is legitimate. 404 Media granted the source anonymity to speak candidly about a sensitive incident.
Earlier this month Discord announced hackers had breached one of its third-party vendors that supports its customer service efforts. That vendor, which the hackers suggest is Zendesk, handles age-related appeals, Discord said. On Wednesday, Discord told The Verge it has identified around 70,000 users who may have had their government ID photos exposed as part of the breach.
In their Telegram group, the hackers took issue with Discord earlier saying the breach impacted a “small number of government-ID images.” The hackers posted a screenshot of what they presented as the size of the stolen data: 1.5 terabytes.
Then on Wednesday the hackers started posting Discord samples of user data. That included selfies of people holding up their ID documents. At least two of these are from people holding identity documents from the U.S. and Canada. Some of these are images where the individual person is clearly visible; others are screenshots of larger folders containing thumbnails of the images.
Other data the hackers posted include a spreadsheet of 1,000 users’ email addresses; usernames; a “TRUE” or “FALSE” flag as to whether they had been verified; their town, state or county, and country; partial phone numbers (the spreadsheet includes the area code and the last few digits of the number); whether the person has multifactor authentication enabled; and the last time they were seen on Discord.
The hackers then posted data related to a specific Discord user with a Coinbase email address. That data included information about their payments for Nitro, Discord’s subscription service; their full phone number; and IP address used. 404 Media corroborated the phone number by searching for it in a tool called OSINT Industries which provided usernames that largely match the name in the email address. Coinbase said in an emailed statement “Coinbase is aware and has investigated. We are not impacted.”
The hackers also posted a screenshot of a customer support interaction of a user who has the same name as the alleged Charlie Kirk shooter, Tyler Robinson. Robinson was previously connected to Discord when he appeared to confess the crime to messages to friends on the app, according to CNN. That screenshot includes the user’s email address, Discord username, and location listed as Salt Lake City, Utah.
Digital rights activists and online speech experts have long warned about this exact scenario: the privacy risks involved in handing over one’s ID to a platform—specifically taking companies at their word that they’re capable of safeguarding users’ data—outweigh any supposed benefits they promise. Those experts have especially included the adult industry, which has been targeted by age verification lobbyists for years, as age verification laws passed across the country beginning in 2022 and have spread to more than 30 states since. Requiring platforms to take visitors’ a government-issued ID or biometric data, including the kinds of selfies that are exposed in this breach, is ineffective at preventing minors from accessing adult material as they’re pushed to more extreme, less regulated or moderated platforms where administrators don’t care about complying with US law (or simply use a VPN). As age verification legislation continues to spread, it’s only become more all-encompassing, requiring all sites and platforms, not just ones that are mostly porn, to verify ages or face heavy fines or jail time.
Discord did not respond to a request for comment.
In an email, a ZenDesk spokesperson told 404 Media “Our investigation indicates this incident did not arise from a vulnerability within Zendesk’s platform. Zendesk’s own systems were not compromised.” In messages with the infosec X account VX-Underground, the hackers reportedly said they compromised an outsourced support agent.
Sam Cole provided additional reporting.
Update: this piece has been updated to include a statement from Coinbase.