Executive Summary

On September 20, 2025, Discord disclosed a data breach resulting from the compromise of a third-party customer service provider, identified by attackers as Zendesk. The breach did not impact Discord’s core infrastructure but allowed unauthorized access to support ticket data for a limited number of users who had interacted with Discord’s Customer Support or Trust & Safety teams. Exposed information includes names, Discord usernames, email addresses, limited billing details, IP addresses, support messages, and, for a small subset, images of government-issued identification documents. The attackers, a group calling themselves “Scattered Lapsus$ Hunters,” demanded a ransom and threatened to leak the stolen data. Discord responded by revoking the provider’s access, launching an internal investigation, engaging a computer forensics firm, and notifying law enforcement and data protection authorities. The incident highlights the risks associated with third-party vendor access and the potential for identity theft and fraud when sensitive data is exposed. All technical and impact details are corroborated by three independent, primary sources: the official Discord press release, BleepingComputer, and Hackread. For further information, see the Technical Information and References sections.

Technical Information

The Discord data breach of 2025 was executed through a supply chain attack targeting a third-party customer service provider, identified by the attackers as Zendesk. The attackers did not breach Discord’s main systems but exploited the provider’s privileged access to the support ticketing system, which contained sensitive user data. This attack vector is consistent with the MITRE ATT&CK technique T1195 (Supply Chain Compromise) [https://attack.mitre.org/techniques/T1195/].

Upon gaining access, the attackers used valid credentials or session tokens to interact with the support system, as evidenced by screenshots of internal tools and access control lists (including Kolide and Okta) shared by the attackers. Kolide is a device trust solution, and Okta is a cloud-based Identity and Access Management (IAM) service that provides multi-factor authentication. The attackers’ ability to access these tools suggests they either compromised support agent credentials or hijacked active sessions, aligning with MITRE ATT&CK T1078 (Valid Accounts) [https://attack.mitre.org/techniques/T1078/].

The attackers collected data from the support ticketing system, including personally identifiable information (PII) such as real names, Discord usernames, email addresses, and other contact details provided to support. They also accessed messages and attachments exchanged with customer service agents, limited billing information (payment type, last four digits of credit card, purchase history), IP addresses, and, for a small number of users, images of government-issued IDs (driver’s licenses, passports) submitted for age verification appeals. This data collection aligns with MITRE ATT&CK T1213 (Data from Information Repositories) [https://attack.mitre.org/techniques/T1213/].

The attackers exfiltrated the data over web protocols, consistent with MITRE ATT&CK T1567 (Exfiltration Over Web Service) [https://attack.mitre.org/techniques/T1567/]. They then attempted to extort Discord by threatening to leak the stolen information, a tactic mapped to MITRE ATT&CK T1565 (Data Manipulation/Extortion) [https://attack.mitre.org/techniques/T1565/] and T1486 (Data Encrypted for Impact) [https://attack.mitre.org/techniques/T1486/].

No specific malware was identified in the public disclosures or technical analyses. The attack relied on credential access and abuse of legitimate support tools, with no evidence of software vulnerabilities or malware deployment. Screenshots posted by the attackers confirm access to Kolide and Okta administrative resources, but there is no indication that these platforms themselves were compromised beyond the abuse of valid credentials.

The threat actor, “Scattered Lapsus$ Hunters” (SLH), is a coalition combining tactics and branding from Scattered Spider, Lapsu$, and ShinyHunters. This group is known for targeting third-party providers and leveraging supply chain attacks for extortion and data theft. Their history includes attacks on technology and SaaS companies, often focusing on support and identity management systems. Attribution to SLH is based on public claims, group branding, and overlap in tactics, techniques, and procedures (TTPs), but lacks unique technical artifacts, resulting in medium confidence for attribution.

The breach primarily affects users who interacted with Discord’s support or Trust & Safety teams, a subset of the platform’s 200+ million monthly users. The exposure of PII, limited billing data, and government-issued IDs raises significant risks of identity theft and fraud. The incident underscores the importance of robust third-party risk management, especially for organizations that outsource customer support functions.

Discord’s response included immediate revocation of the provider’s access to the ticketing system, initiation of an internal investigation, engagement of a leading computer forensics firm, and notification of law enforcement and relevant data protection authorities. Impacted users were notified via email from noreply@discord.com, and Discord advised vigilance against phishing attempts exploiting the breach.

All technical claims and impact assessments are corroborated by three independent, primary sources: the official Discord press release [https://discord.com/press-releases/update-on-security-incident-involving-third-party-customer-service], BleepingComputer [https://www.bleepingcomputer.com/news/security/discord-discloses-data-breach-after-hackers-steal-support-tickets/], and Hackread [https://hackread.com/discord-data-breach-hackers-ids-billing-support-chats/].

Affected Versions & Timeline

The breach affected users who interacted with Discord’s Customer Support or Trust & Safety teams via the third-party provider’s ticketing system. The attack occurred on September 20, 2025, as confirmed by both Discord and independent technical analyses. The specific third-party provider was not named in official disclosures but was identified as Zendesk by the attackers and corroborated by technical reporting.

The timeline is as follows: On September 20, 2025, the attackers gained unauthorized access to the third-party support system. Discord detected the breach shortly thereafter, revoked the provider’s access, and began an internal investigation. Public disclosure occurred on October 3, 2025, with notifications to affected users and authorities initiated concurrently. The duration of unauthorized access is not specified in public sources, and the total number of affected users remains undisclosed.

No evidence indicates that Discord’s main platform, user authentication systems, or general message data were compromised. The breach was limited to data stored within the third-party support ticketing system.

Threat Activity

The threat actor responsible for the breach is “Scattered Lapsus$ Hunters” (SLH), a coalition with a history of targeting technology companies through supply chain and credential-based attacks. SLH claimed responsibility for the attack, posting screenshots of internal Discord tools and administrative resources, including Kolide and Okta dashboards, to demonstrate their access.

The attackers’ primary motivation was financial extortion. They demanded a ransom from Discord in exchange for not leaking the stolen data. Public posts by the group included taunts directed at Discord’s security measures and threats to publish additional stolen material on a “Data Leak Site” (DLS). The group also revealed details such as the alleged internal network name “SLHM” and dismissed the effectiveness of Discord’s response actions, such as disabling Okta and Kolide logins.

The attack methodology involved leveraging valid credentials or session tokens to access the support ticketing system, collecting sensitive user data, and exfiltrating it for extortion purposes. The attackers did not deploy malware or exploit software vulnerabilities; instead, they abused legitimate access pathways within the third-party provider’s environment.

The incident highlights the ongoing threat posed by groups specializing in supply chain attacks and the exploitation of third-party vendor relationships. The exposure of government-issued IDs and billing data significantly increases the risk of downstream identity theft, fraud, and targeted phishing campaigns against affected users.

Mitigation & Workarounds

The following mitigation actions and workarounds are prioritized by severity:

Critical: Organizations should immediately review and restrict third-party vendor access to sensitive systems, ensuring that only the minimum necessary permissions are granted. Regularly audit third-party integrations and enforce strong authentication and session management controls for all external partners.

High: Implement continuous monitoring and anomaly detection for all third-party access points, with automated alerts for unusual activity. Require multi-factor authentication (MFA) for all support and administrative accounts, and ensure that session tokens are regularly rotated and invalidated upon role changes or detected compromise.

Medium: Conduct regular tabletop exercises and incident response drills focused on third-party compromise scenarios. Ensure that all customer support data is encrypted at rest and in transit, and that data retention policies minimize the exposure window for sensitive information.

Low: Educate users about the risks of phishing and social engineering following a breach, especially when attackers may use stolen data to craft convincing lures. Provide clear guidance on how to verify official communications and report suspicious messages.

For users affected by this incident, Discord has advised vigilance against suspicious emails or communications, particularly those purporting to be from Discord but originating from unofficial channels. Impacted users should monitor their accounts for signs of identity theft or fraud and consider placing alerts or freezes on their credit files if government-issued IDs were exposed.

References

Official Discord Press Release (October 3, 2025): https://discord.com/press-releases/update-on-security-incident-involving-third-party-customer-service

BleepingComputer Technical Analysis (October 4, 2025): https://www.bleepingcomputer.com/news/security/discord-discloses-data-breach-after-hackers-steal-support-tickets/

Hackread Technical Analysis (October 4, 2025): https://hackread.com/discord-data-breach-hackers-ids-billing-support-chats/

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with external vendors and service providers. Our platform enables continuous evaluation of vendor security posture, supports incident response workflows, and facilitates compliance with regulatory requirements for third-party risk. For questions about this incident or to discuss third-party risk management strategies, contact us at ops@rescana.com.