Discord Customer Service Data Breach Exposes Scanned IDs And User Data To Hackers

Discord's latest security screw-up is exactly the kind of nightmare privacy advocates have been warning about since platforms started demanding government IDs for "safety." The company confirmed this week that a breach at one of its customer service contractors exposed user information—including, in some cases, actual scanned IDs submitted for age verification. It's not a leak from Discord's own servers, they insist, but that's hardly any comfort when the data in question only existed because Discord began collecting it in the first place.

According to the company, the attacker compromised a third-party support vendor around September 20th. Discord disclosed the breach publicly in early October, saying the hacker accessed user names, emails, billing details, and internal support communications. The company stressed that passwords and full credit card numbers weren't stolen, but that "a small number" of government-issued ID images were. Those came primarily from users who'd been forced to appeal an age verification check, meaning the leak is a direct consequence of Discord's new identity system.

That system was rolled out this year to comply with new age verification laws in the UK and the long-standing COPPA rules in the U.S. The intent was noble enough: keep under-13 users off the platform, and wall off "adult" content from minors. In practice, it meant ordinary users had to hand over sensitive documents—driver's licenses, passports, and clear facial selfies—to prove that they're adults. Now, at least some of those documents are in the wild. The breach doesn't just erode trust in Discord, it's a warning about the growing appetite of governments and tech companies to tie online identity to real-world paperwork.


Discord says its verification vendor (k-ID) deletes ID images after checking them, and the implication is that this is the reason only a "small number" of ID images were stolen. Maybe so, but any collection of personal identification data, no matter how temporary, is a jackpot for bad actors, and once a government starts demanding proof of age, companies have little choice but to build systems that store it somewhere. The UK's Online Safety Act made breaches like this inevitable, and this attack is a simple object lesson in how overzealous regulation and corporate compliance theater can combine to make the internet less safe, not more.

Users trusted Discord with their real identities because the law and the company's resulting policies gave them no real alternative. Now those same policies have turned into a privacy disaster. You can head over here to check Discord's release on the matter, and check your e-mail for a message from Discord if you're an impacted user.