Discord confirmed a major data breach exposing approximately 70,000 users’ personal information through a compromised age verification system. The incident, disclosed October 2, 2025, stemmed from a 58-hour attack on third-party vendor 5CA that handles Discord’s customer support and age verification appeals.
Third-Party Vulnerability Exposes Sensitive User Data
The breach occurred between September 20-22, 2025, when hackers infiltrated systems at 5CA, Discord’s customer service partner responsible for processing age verification appeals. According to Discord’s official statement, the compromised data included government-issued identification documents, email addresses, and IP addresses of users who had submitted age verification appeals.
Security researchers attribute the attack to known hacking collectives including Scattered Spider, LAPSUS$, and ShinyHunters. These groups have previously targeted major corporations including multiple critical infrastructure organizations according to CISA advisories. The hackers initially claimed to have stolen over one million IDs but Discord’s investigation confirmed approximately 70,000 affected users globally.
Discord emphasized that critical financial information including credit card numbers, CVV codes, passwords, and private messages remained secure. The company immediately revoked 5CA’s system access and launched an internal investigation while cooperating with law enforcement agencies.
Ransom Demands and Corporate Response
Hackers demanded a $5 million ransom from Discord, later reducing their demand to $3.5 million during negotiations between September 25 and October 2, 2025. Discord refused payment, stating “We will not reward those responsible for their illegal actions” in their public announcement.
The company’s refusal to pay follows FBI guidance against ransomware payments, which the agency states “encourages continued criminal activity.” As of October 10, 2025, the stolen data has not been publicly released despite hackers’ threats to publish it if demands weren’t met.
Affected users received direct email notifications from [email protected] with instructions for protective measures. Discord has engaged digital forensics experts and notified relevant data protection authorities including the UK’s Information Commissioner’s Office, which could potentially levy fines under GDPR regulations for inadequate third-party vendor security.
Age Verification Systems Under Scrutiny
The breach represents the first major security incident directly tied to mandatory age verification infrastructure, occurring just months after the UK’s Online Safety Act took full effect in July 2025. The legislation requires platforms to implement robust age assurance measures, driving increased adoption of ID verification systems.
Privacy advocates have long warned that centralized databases of government IDs create attractive targets for hackers. As Electronic Frontier Foundation analysts note, “Whenever you create a database of sensitive information, you create a target for malicious actors.” The Discord breach validates concerns that age verification requirements introduce new security vulnerabilities.
Security experts worry this incident could push younger users toward unregulated platforms that don’t require identification or encourage VPN usage to bypass geographic restrictions. The UK’s age verification mandate affects numerous online services, potentially creating multiple similar attack vectors across different platforms.
Broader Implications for Digital Identity Systems
This breach highlights systemic risks in the growing digital identity verification market, projected to reach $28 billion by 2026 according to Gartner research. As more countries consider similar online safety legislation, the security of third-party verification providers becomes increasingly critical.
The incident demonstrates how security vulnerabilities can migrate through supply chains. While Discord maintained strong internal security practices, the compromise of their vendor created the exposure. This pattern echoes recent breaches at companies like Okta where third-party support system compromises led to customer data exposure.
As of publication, Discord continues working with international law enforcement to investigate the breach and monitor for any misuse of stolen data. The company has implemented additional security measures for all third-party vendors and enhanced monitoring of age verification systems.
