Discord Blinks: Platform Shrugs Off 1.5TB ID Theft Claim as 'Inaccurate', Admits to 70K Affected Users

What to know

Discord's 3rd party customer service vendor, Zendesk, was hacked last week.
Hackers claim more than 1.5TB of stolen user data, though Discord says the number is exaggerated.
Discord has admitted to 70,000 users being affected.
Discord's spokesperson Nu Wexler has highlighted that the breach was on the vendor's side, not Discord's.

Discord is involved in a very serious and very public game of numbers. Because last week, one of Discord’s customer service vendors’ security was breached. Hackers have reportedly targeted a third-party service named Zendesk that Discord uses for support. Zendesk is a software company that provides customer service, sales, and customer communications solutions through its platform of products, including a ticketing system, help center, and AI-powered agents.

The hackers got their hands on age verification data from Zendesk and are now allegedly trying to shake down Discord for money by loudly bragging to the world that they stole a huge chunk of over 1.5 terabytes of data, which includes over government IDs of over 2.1 million users such as passports and driver's licenses. It is an absolute treasure trove for identity thieves.

Chat, we are cooked

Discord is being extorted by the people who compromised their Zendesk instance

They've got 1.5TB of age verification related photos. 2,185,151 photos

tl;dr 2.1m Discord users drivers license and/or passport might be leaked. Unknown number of e-mails
— vx-underground (@vxunderground) October 8, 2025

"It Was The Vendor, Not Us!"

Discord's response has been firm. They have not only denied responsibility but also asked people to not believe the exaggerated number. Discord’s spokesperson Nu Wexler has come forward and said that the breach was on the vendor's side and not with Discord's core security.

In a statement to the Verge, Wexler further mentioned:

"All affected users globally have been contacted and we continue to work closely with law enforcement, data protection authorities, and external security experts. We’ve secured the affected systems and ended work with the compromised vendor. We take our responsibility to protect your personal data seriously and understand the concern this may cause."

Spokesperson Asks to Stop Exaggerating.

To their credit, Discord did admit that almost 70,000 users have most likely had their governmental IDs leaked, but they have said that the figure of 2.1 million being thrown around is inaccurate and just an attempt at extortion by the hackers.

(Translation: Discord knows they got some stuff, but they are not refusing to play ball with the hackers, and aren’t going to let them terrify 2 million people.)

"Breach Not On Our End, but the Vendor's"

The company was quick to stress that this was not a breach of Discord's core systems, but more of a third-party service’s breach.

For the unfortunate users who had submitted IDs for age appeals, the damage goes beyond the photo. The breach also provided the hackers personal info like usernames, emails, IP addresses, customer support chat transcripts, and the last four digits of credit cards.

What data was involved, and what wasn't?

According to Discord's press release last week, the data that may have been impacted... may include:

Name, Discord username, email and other contact details if provided to Discord customer support
Limited billing information such as payment type, the last four digits of your credit card, and purchase history if associated with your account
IP addresses
Messages with our customer service agents
Limited corporate data (training materials, internal presentations)
The unauthorized party also gained access to a small number of government‑ID images

And the data that was not involved includes:

Full credit card numbers or CCV codes
Messages or activity on Discord beyond what users may have discussed with customer support
Passwords or authentication data

The whole messy drama has reminded us of all the security risks created by these extremely invasive laws that force platforms like Discord, to collect sensitive IDs in the first place, which is not essential for platforms like these.

Discord had previously promised these documents would be "immediately deleted" after verification. But clearly that didn't happen fast enough to stop the cyber-equivalent of a day light robbery.

Discord has notified all the people in the group of 70,000 people and is actively working with authorities to clean up the mess. For the people who are affected, it is time to put their identity theft protection on high alert.