Discord says it won’t pay threat actors who claim to have stolen data from 5.5 million unique users from the company’s Zendesk support system instance, including government IDs and some people’s partial payment information.
The company is also pushing back on claims that 2.1 million government ID photos were exposed in the breach, saying that about 70,000 users’ government ID photos were exposed.
While the attackers claim the breach occurred through Discord’s ZenDesk support instance, the company has not confirmed this and only said it involved a third-party service used for customer support.
“First of all, as stated in our blog post, this was not a breach of Discord, but rather a third-party service we use to support our customer service efforts,” Discord told BleepingComputer in a statement.
“Second, the numbers being shared are false and are part of an effort to extort payments from Discord. Of the affected accounts globally, we have identified approximately 70,000 users who may have had government-ID photos exposed, which our vendors used to review age-related appeals.”
“Third, we will not reward those responsible for their illegal actions.”
In conversations with the hackers, BleepingComputer was told that Discord was not being transparent about the severity of the breach, adding that they stole 1.6 TB of data from the company’s Zendesk instance.
According to the threat actor, they gained access to the Zendesk instance of Discord for 58 hours starting on September 20, 2025. However, the attackers say the breach did not stem from a Zendesk vulnerability or breach, but from a compromised account belonging to a support agent employed through an outsourced business process outsourcing (BPO) provider used by Discord.
Since many companies have outsourced their support and IT help desks to BPOs, they have become a popular target for attackers looking to gain access to downstream customer environments.
The hackers allege that Discord’s internal ZenDesk instance gave them access to a support application, known as ZenBar, that allowed them to perform various support-related tasks, such as disabling multi-factor authentication and viewing users’ phone numbers and email addresses.
Using access to Discord’s support platform, the attackers claim to have stolen 1.6 terabytes of data, including approximately 1.5 TB of ticket attachments and over 100 GB of ticket transcripts.
The hackers say it involved approximately 8.4 million tickets affecting 5.5 million unique users, and included some type of payment information from approximately 580,000 users.
The threat actors themselves admitted to BleepingComputer that they are unsure how many government IDs were stolen, but they believe it to be more than 70,000, as they say there were approximately 521,000 age-verification stamps.
The threat actors also shared a sample of the stolen user data, which may include a variety of information, including email addresses, Discord usernames and IDs, phone numbers, partial payment information, dates of birth, multi-factor authentication information, suspicious activity levels, and other internal information.
Payment information for some users was reportedly retrievable through a Zendesk integration with Discord’s internal systems. These integrations reportedly allowed attackers to make millions of API queries to Discord’s internal database through the Zendesk platform and obtain further information.
BleepingComputer could not independently verify the hackers’ claims or the authenticity of the data samples provided.
The hacker said the group demanded $5 million in ransom, later reducing it to $3.5 million, and engaged in private conversations with Discord between September 25 and October 2.
After Discord ceased communications and released a public statement about the incident, the attackers said they were “extremely angry” and planned to publicly leak the data if the extortion demand was not paid.
BleepingComputer contacted Discord with additional questions about these claims, including why they retained government IDs after completing age verification, but did not receive a response beyond the above statement.
attend Breach and Attack Simulation Summit and experience future of security verificationHear from top experts and see how AI-powered BAS Changing breach and attack simulations.
Don’t miss the event that will shape the future of your security strategy
