Discord reports theft of IDs during manual age verification

An attacker managed to gain access to systems belonging to a third party that’s being used for customer service. During the incident, an unknown quantity of identity documents provided for age verification were leaked.
According to Discord, an unauthorized party targeted its third-party customer support services to access user data. The threat actor didn’t gain access to Discord’s systems directly.
The stolen data includes names, usernames, email addresses, and other contact details provided to customer service. It also includes the last four digits of credit card numbers, IP addresses, and messages with Discord’s customer service agents.
In addition, corporate data like training materials and internal presentations, and copies of identity documents were stolen from users who had objected to Discord’s age estimation. The chat platform doesn’t say how many users have been affected by the data breach.
Discord is reassuring victims that no full credit card numbers or CCV codes have been leaked. The same goes for passwords, authentication data, and messages or activities beyond what users may have discussed with customer support.
The security incident was discovered recently. As soon as the data breach came to light, steps were taken to prevent recurrence, including revoking the customer support provider’s access to chat platform’s ticketing system, launching an internal investigation, and calling upon leading computer forensics experts to support the investigation.
Relevant law enforcement authorities have been notified about the incident, as well as affected customers.
“Looking ahead, we recommend impacted users stay alert when receiving messages or other communication that may seem suspicious. We have service agents on hand to answer questions and provide additional support,” Discord says in a press release.
Last month, Discord launched age verification, which requires users to submit a photo or video of their ID. This is an automated system that has not been affected, but users who do not agree to the automated age verification can choose to send a photo of their ID to customer service. This group appears to be the victim of ID leaks.
According to Discord, this involves a “limited number of users” who had communicated with the platform’s Customer Support or Trust & Safety teams.
As of writing, no ransomware operation has claimed responsibility for the data breach.