Discord Reportedly Faces Extortion After 2.1 Million of User ID Photos Stolen

The breach happened on September 20, 2025, when attackers broke into Discord’s customer support system and grabbed sensitive personal documents including driver’s licenses and passports.

The attack targeted Discord’s Zendesk support system, exposing 2,185,151 photos belonging to 2.1 million users who submitted ID documents for age verification. Discord waited nearly two weeks before publicly announcing the breach on October 3, 2025.

What Information Was Stolen

The hackers accessed more than just photos. They also grabbed names, email addresses, Discord usernames, and messages users sent to customer support. Some users had their IP addresses exposed along with limited payment information—specifically the last four digits of credit card numbers and purchase history.

Discord confirmed that full credit card numbers, passwords, and regular chat messages between users were not accessed. The breach only affected people who contacted Discord’s Customer Support or Trust & Safety teams.

According to security researchers, the attackers claim they have 1.5 terabytes worth of data. That’s an enormous amount of personal information now in the hands of criminals.

How the Hack Happened

The breach didn’t target Discord’s main systems directly. Instead, hackers used social engineering tactics—manipulating people rather than exploiting software bugs—to compromise the third-party support provider.

A group calling themselves Scattered Lapsus$ Hunters has taken credit for the attack. This coalition combines tactics from well-known hacking groups like Scattered Spider, Lapsu$, and ShinyHunters. They posted screenshots on Telegram showing they had access to Discord’s internal tools and administrative panels, mocking the company’s security measures.

Source: @vxunderground

However, there’s confusion about who actually pulled off the hack. The group later suggested a different team they know was responsible for the breach.

Age Verification Laws Create New Risks

This breach highlights major concerns about new age verification requirements. The UK passed the Online Safety Act in July 2025, forcing platforms like Discord to verify users’ ages by checking government IDs. Several US states followed with similar laws—Ohio and Arizona enacted their versions in late September 2025.

Discord promised users that ID photos would be “deleted directly after your age group is confirmed.” But the stolen data came from users who appealed age verification decisions, meaning Discord’s support system kept copies of these documents.

Privacy advocates warned this would happen. When companies collect and store large amounts of sensitive identity documents, they create attractive targets for hackers. This Discord breach proves those fears were justified.

Impact on the Crypto Community

The breach poses serious risks for cryptocurrency users on Discord. Many crypto projects, NFT communities, and blockchain networks use Discord as their main communication hub. Developers, traders, and investors regularly discuss sensitive topics in these spaces.

Hudson Rock’s Chief Technology Officer Alon Gal explained the danger: “If it leaks, this db is going to be huge for solving crypto related hacks and scams because scammers don’t often remember using a burner email and VPN and almost all of them are on Discord.”

The stolen data could help criminals identify crypto influencers, traders with significant holdings, and project developers. Hackers could use this information for targeted phishing attacks, identity theft, or extortion schemes. Someone’s real name, location details from ID photos, and Discord activity creates a detailed profile criminals can exploit.

The timing is particularly bad since Discord has over 200 million monthly users, with a significant portion involved in crypto and blockchain communities.

Better Solutions Exist

Technology companies don’t need to collect and store millions of ID photos to verify age. Zero-knowledge proofs offer a privacy-friendly alternative that mathematically confirms someone’s age without revealing their full identity or storing sensitive documents.

Concordium, a blockchain platform, launched a mobile app in August that uses this technology. Users can prove they’re over 18 without sharing their actual ID with any company. Google Wallet also integrated zero-knowledge proofs for age verification in April 2025.

These systems prevent the accumulation of document photos on servers that can be hacked. If Discord had used zero-knowledge proofs instead of collecting ID images, this breach would have exposed far less sensitive information.

Discord’s Response and User Actions

Discord immediately cut off the compromised support provider’s access and brought in computer forensics experts. The company notified law enforcement and data protection authorities about the breach.

Affected users are receiving emails from noreply@discord.com—Discord’s only official channel for breach notifications. The company warned it will never call users about this incident. Users should watch for phishing emails pretending to be from Discord, as scammers often exploit data breaches to steal more information.

This marks Discord’s third security incident in 2025. The platform previously dealt with Epsilon Red ransomware distribution in July and a malware attack through its Content Delivery Network in August.

The Bottom Line

This breach demonstrates exactly what privacy advocates feared about mandatory ID collection. When companies store millions of sensitive documents in centralized databases, they create irresistible targets for hackers. The 2.1 million Discord users who trusted the platform with their government IDs now face potential identity theft risks.

For crypto users, the situation is particularly concerning given Discord’s central role in blockchain communities. Better privacy technology exists and companies should adopt it before more personal information falls into criminal hands.