Discord reveals more on data breach – says 70,000 government ID photos may have been leaked
- Discord data breach linked to third-party support provider – likely Zendesk, not Discord itself
- The attackers claim to have stolen 5.5 million user records and 2.1 million photo IDs during a 58-hour access window.
- Discord disputes figures, confirms 70,000 identity disclosures, refuses to pay extortion demands
Discord has revealed more details about the recent third-party data breach incident, including an estimate of the likely number of ID card photos stolen in the attack.
The company had warned its users about a potential data breach, claiming that a third-party customer support service provider had been breached. “The unauthorized party then gained access to the information of a limited number of users who had contacted Discord through our customer support and/or trust and safety teams,” Discord said at the time.
The identities of the attackers were not disclosed, but Discord said the scammers took personally identifiable data, contact details, some company data and a “small number” of government-issued ID cards.
How many ID cards?
NOW, BeepComputer claimed that the likely compromised company was Zendesk.
He also managed to make contact with the attackers, who claimed to have stolen the data of 5.5 million unique users, including 2.1 million government ID photos. The total size of the archive was 1.6 TB, downloaded during 58 hours of uninterrupted access.
The attackers told the publication that they accessed the network through a compromised account belonging to a support agent employed by an outsourced business process outsourcing provider used by Discord.
Discord, however, disagrees on the seriousness of the violation.
“First, as noted in our blog post, this was not a violation of Discord, but rather a third-party service that we use to support our customer service efforts,” the company told the publication in a statement.
“Second, the numbers shared are incorrect and part of an attempt to extort payment from Discord. Among affected accounts worldwide, we identified approximately 70,000 users who may have had government ID photos exposed, which our provider used to review age-related calls.”
“Third, we will not reward those responsible for their illegal actions.” The attackers reportedly asked for $5 million – and then reduced the asking price to $3.5 million.
You may also like
:max_bytes(150000):strip_icc()/HDC-GettyImages-179249298-e6160cdc1a8d4abca230adb5e0de328d.jpg?w=390&resize=390,220&ssl=1 "What Happens to Your Blood Sugar When You Eat a Pop-Tart")
