A breach of popular cross-platform communications app Discord may be incredibly serious, with a security research group claiming that 2.1 million passport and driving license photos were taken by hackers, versus the official claims of a "limited number of users."
On October 3, Discord issued a warning that it was the victim of a "Security Incident" that involved a third-party customer service platform. In reporting following the breach, it appears to be an attack on Zendesk.
Discord's account of the incident claims that it impacted a "limited number of users" who had contacted its Customer Support or Trust & Safety teams.
The attackers did not gain access to Discord directly, the company insists. No messages or activities on Discord itself were accessed, but communications to customer support were at risk of exposure.
Management then took steps to revoke access to the Discord ticketing system by Zendesk, as well as launching an internal investigation and employing a computer forensics firm. Discord is also contacting affected users and working with law enforcement on the matter.
A question of impact
When it comes to what data was at risk, Discord says this includes:
- User names
- Discord usernames
- Email addresses
- Other contact details provided to Discord customer support
- Payment type
- Last four digits of a user's credit card
- Account-associated purchase history
- Messages with customer support agents
- IP addresses
- "Limited corporate data" such as training materials.
Discord insists that full credit card numbers, Discord messages and activity, and passwords or authentication data were not part of the breach.
The official announcement on Saturday by the company didn't disclose how many accounts were affected by the breach in total. Discord on Wednesday updated its document, stating the "small number of government-ID images" amounts to 70,000.
While Discord describes them as a "small number," one well-known breach-researching X account proposes a much higher number, which is what drove Discord's official response.
According to "vx-underground," there was a total of 1.5 terabytes of age verification-related photos in the haul. That amounts to 2.19 million images of driving licenses and passports.
Discord has 689 million registered users and 259 million monthly active users, for comparison.
The account adds that the image trove of personal details gave considerable "leverage" to an attacker. Given the widespread use of Discord, this could also affect celebrities, politicians, government officials, and other major targets.
Little for users to do
The breach has affected users on multiple platforms, including iOS, macOS, and iPadOS. However, since it involves Discord's consumer help desk, it won't really affect any users directly unless they contacted support and supplied information, like their driver's license.
For those users, Discord has assured that it will be contacting people who will have been affected by the breach directly with next steps.
Even so, for general Internet users, the release of such sensitive information could be a problem, even if it isn't theirs. The details could be used not only directly for attacking accounts, but also as proof in a phishing attack.
Internet users should maintain good online hygiene, including when and where they download apps and files of a questionable source. When it comes to talking to someone, consider whether the information would be obtainable from a license or a passport, or otherwise collected by an attacker when talking to people online.
Updated October 8, 9:25 p.m. to reflect Discord updating its original statement with the 70,000 number.
