The blame game for the Discord data breach has begun, as a service provider blamed by the company claims it wasn't the cause of the hack, nor were they serving the data that was stolen.
In early October, Discord disclosed that a "Security Incident" occurred affecting approximately 70,000 users. After an initial notice was published on October 3, Discord later updated the page, directing the blame for the hack onto one of its providers.
The edited release claims that it was a "breach" of third-party service provider 5CA, which Discord says is used in its customer support system.
On October 14, 5CA Systems responded to the claim. Citing reports that 5CA was the cause of the breach, the company insists that its systems were not involved.
Furthermore, 5CA said it hasn't handled any government-issued IDs for Discord itself. The breach reportedly involved the leak of tens of thousands of passport and driving license photographs, used for age verification.
5CA goes on to say its systems are still secure, client data continues to be protected, and that it is both performing its own investigation and working with Discord and cybersecurity experts on the matter.
Interim findings apparently reveal that the incident occurred outside of 5CA's systems and that the company wasn't hacked, it claims. However, 5CA believes that the incident could have resulted from "human error," but doesn't go into detail on what this actually entails.
Publicly passing the buck
The changed Discord press release and the notice from 5CA don't do anything to directly fix the situation, but are really instances of the companies trying to control the story. Or at the very least, try to deflect the blame for a hot-button topic, such as a breach of security or privacy, in another direction.
Discord initially said in its disclosure that it was due to a third-party service provider involved in customer care. By directly naming a company, this limits the damage to Discord's reputation more than a deflection to an unnamed and nebulous entity.
We don't know whether Discord is accurate with its blame, especially since 5CA denies it is at fault. We also don't know if 5CA is acting truthfully about being innocent either, and no one will until a trusted third party or law enforcement steps in and makes their own statements.
This is, however, not the only change Discord made to its initial notice.
Originally, Discord said the breach affected a "limited number of users," without specifying how many were affected. It wasn't until a few days later, and after an online claim of 2.1 million images on X, that the figure of 70,000 was added to the notice.
While Discord may have pushed 5CA under the bus, and 5CA returned the favor, it will be some time before we know who's truly to blame. Clearly, Discord is accountable, however.
Sensitive information
What is known about the breach is that it involves images of government-issued IDs, submitted as part of an age-related appeal process. Like many other apps, Discord has to try and to confirm the age of its users, to protect them from prohibited content as per various recent new laws around the world.
Discord immediately declared that its systems were not attacked, and the third-party tools used to handle the age-related customer service queries were the target. Discord's messages and activities of users were not part of the breach.
The data taken in the breach, according to Discord, includes:
- User names
- Discord usernames
- Email addresses
- Other contact details provided to Discord customer support
- Payment type
- Last four digits of a user's credit card
- Account-associated purchase history
- Messages with customer support agents
- IP addresses
- "Limited corporate data" such as training materials.
So far, no-one has admitted to the breach, and the data doesn't seem to be sold or used elsewhere at this time. However, the details could be used in further hacks and attacks.
Discord has said it will be contacting affected users about the breach, including what data was taken.
While Discord and a security researcher disagree on the number of affected users and images, it is a relatively small number against Discord's total user base. Discord has approximately 689 million registered users and 259 million monthly active users.
For other users who aren't directly affected by the breach, there's little they can do about the situation. In some cases, they may experience messages based on the details hackers gleam from the breach, using the information on the IDs to convince potential victims of confidence tricks.
As usual, Internet users should continue to maintain good online hygiene, such as questioning the sources of communications and ensuring file downloads are from legitimate sources.
