CITIZENS NEWS

Discord breach exposes 70,000 government IDs through age verification vendor

By isabelle // 2025-10-10

• A breach at a third-party Discord support vendor exposed user data.
• Approximately 70,000 government-issued identification photos were stolen.
• Hackers accessed the system via a single compromised support agent account.
• The incident fuels debate over the risks of mandatory digital ID collection.
• Discord disputes the hackers' claims and refuses to pay the ransom.

In a digital age where governments increasingly demand you hand over your most sensitive documents to access online platforms, a massive security failure has exposed the profound dangers of this surveillance-state agenda. A breach at a third-party customer support system used by the popular chat service Discord has left approximately 70,000 users globally with their government-issued identification photos exposed to criminals. The incident, which began on September 20, 2025, saw attackers infiltrate a Zendesk-based platform for 58 hours, accessing a treasure trove of personal data and igniting a fierce debate over data retention policies and corporate accountability. The attackers allege they stole a staggering 1.6 terabytes of data, affecting information tied to around 5.5 million unique users. They claim their entry point was not a complex software exploit but the compromised account of a single support agent working for an outsourced vendor. From this foothold, they say they extracted 1.5 terabytes of ticket attachments and more than 100 gigabytes of ticket transcripts, pulling data from roughly 8.4 million support tickets. Discord strongly disputes this narrative and the scale of the breach. A company spokesperson, Nu Wexler, stated, "This was not a breach of Discord, but rather a third-party service we use to support our customer service efforts." The company maintains that the incident was confined to the third-party provider and did not impact Discord's own core systems directly. Wexler also labeled the hackers' claims about the data volume as "incorrect and part of an attempt to extort a payment from Discord."

The scope of the exposure

Despite the disagreement on scale, the confirmed theft is severe. Beyond the government IDs, information such as user names, email addresses, IP addresses, and the last four digits of credit card numbers may have been accessed. The hackers have been attempting to extort a ransom from the company, a demand Discord says it will not fulfill. "We will not reward those responsible for their illegal actions," Wexler affirmed. The exposure of 70,000 government IDs raises urgent questions that Discord has not fully answered. The IDs were collected through "age-related appeals," a process where users who were locked out of the platform had to upload a photo of their government ID alongside their Discord username to regain access. This practice is increasingly common, driven by laws like the UK's Online Safety Act, which requires platforms to perform age checks.

A predictable consequence of the digital ID push

Cybersecurity experts have long warned that vendors performing these sensitive age checks are becoming prime targets for hackers. Nathan Webb, a principal consultant at the UK digital security company Acumen Cyber, called the breach "very concerning." He emphasized, "Despite age verification being outsourced, businesses still have an accountability to ensure that data is stored appropriately. It’s important for organisations to recognise that delegating certain processes does not absolve their responsibility to uphold data protection and security standards." A critical question remains: Why were these highly sensitive government identification documents retained by the vendor after the age verification process was complete? Discord has not offered clarification on its data retention policy for these IDs, leaving users in the dark about how long their most personal data was stored and why it was not purged immediately after verification. This breach serves as a warning of the growing danger of mandatory online ID verification. As governments push platforms to collect government-issued IDs for age checks and compliance under the guise of safety, this sensitive data ends up stored across multiple third-party systems, often with vendors users never interact with or even know exist. The centralization of such data creates a honeypot for criminals, turning digital safety initiatives into tools for mass identity theft. This incident illustrates the concerns digital rights activists have expressed about using age checks as a means of making the internet "safer," arguing that the cure can be worse than the disease when it creates massive, vulnerable databases of citizen identities. In the end, this is not just a story about a hack. It is a cautionary tale about the inevitable outcome of building a system that demands you surrender your identity to participate in modern society. Every new law demanding digital age verification creates another target, and as this breach proves, the third-party vendors tasked with guarding our digital souls are failing. The very institutions promising safety are instead engineering a crisis of privacy and security, leaving tens of thousands of users to face the consequences of having their official identities spilled onto the dark web. Sources for this article include: ReclaimTheNet.org TheGuardian.com TheVerge.com TechCrunch.com

glitch hackers national security data breach cyber war big government dangerous information technology computing privacy watch Discord private data digital ID age verification