Discord has confirmed a significant security incident affecting users who contacted its Customer Support or Trust & Safety teams, after an unauthorized party gained access to the company's third-party customer service provider on September 20, 2025.
The breach, which Discord disclosed on October 3, compromised sensitive user information including names, email addresses, IP addresses, Discord usernames, and messages exchanged with support agents. Most concerning for affected users: the attackers also accessed government-issued ID images (driver's licenses and passports) from individuals who had appealed age verification decisions—a particularly troubling development given recent legislative changes requiring age verification on social platforms.
According to Discord's official statement, the unauthorized party targeted their third-party customer support services "with a view to extort a financial ransom from Discord."
Security researchers on social media quickly identified the breach as affecting Discord's Zendesk implementation, a popular customer service platform used by countless companies worldwide.
The incident has drawn sharp criticism from cybersecurity experts. "The Threat Actor has so much fucking leverage," noted vx-underground, a prominent security research collective. "Depending on what's in the data they could extort celebrities, crypto influencers, politicians, scammers and/or other Threat Actors, government officials."
Discord emphasized that full credit card numbers, CCV codes, passwords, and regular Discord messages were not accessed. However, limited billing information including payment types and the last four digits of credit cards was exposed for some users.
Third Breach This Year Raises Serious Questions
Reddit users quickly pointed out this marks Discord's third security incident in 2025, prompting frustration within the community. "Discord needs to really figure out what's going on on the support side," wrote one user in a Reddit thread.
Many users have shared the screenshots of the email they received on Reddit.
 |
| Email notification received by user | Image: Reddit |
The timing is particularly unfortunate, coming shortly after Discord's implementation of controversial age verification requirements that led to many users submitting government IDs. Several affected users reported their verification tickets remained unresolved for weeks, only to be told their documents were now potentially compromised.
What Users Should Do Now
If you've ever contacted Discord support, security experts recommend taking immediate action:
- Change your Discord password and ensure it's unique across all platforms
- Enable two-factor authentication (2FA) on both Discord and your email account
- Monitor financial statements closely for unauthorized transactions
- Refresh your IP address by restarting your router and consider using a VPN
- Review past support tickets to assess what information you may have shared
- Stay alert for phishing attempts that reference your actual support interactions
Even if you haven't received a notification email, assume your data may have been exposed if you've contacted Discord support in the past year. Discord confirmed it will only contact users about this incident via email from [email protected]—never by phone.
Discord states it will continue to frequently audit third-party systems to ensure they meet security and privacy standards, and has reviewed threat detection systems and security controls for third-party support providers.
However, for the platform's 200+ million active users, this incident serves as a stark reminder that their data's security depends not just on Discord's defenses, but on every vendor the company chooses to work with.