Discord said in a statement revealed late last week that an unnamed customer service vendor had been compromised, exposing support tickets and personal details submitted by users who contacted its help or Trust & Safety teams.
The company said the stolen data may include names, email addresses, billing information such as payment type and the last four digits of credit cards, and in some cases images of government IDs provided for age verification. Discord also said attackers could access IP addresses, messages and attachments sent to customer service agents.
Discord stressed that its own systems were not directly accessed and said an “unauthorized party” targeted the third-party support service with a view to extort a financial ransom from the company. The firm said it cut off the vendor’s access once the intrusion was detected, launched an internal investigation and notified law enforcement.
The company said it is emailing affected users and warning them to be alert for scams or attempts to exploit the stolen information. Some reports have named a customer support vendor, but Discord has not confirmed which contractor was responsible for handling support tickets.
The number of people affected remains unanswered; Discord described the number as “limited,” but the article noted that with more than 200 million active users each month even a small share of support interactions could amount to a sizable haul of personal data.
Discord has yet to respond to questions about which vendor was compromised or how many users were caught in the breach. The company now faces the task of reassuring users that their personal data is secure even when the leak originated at a third party.