Hackers gained unauthorized access to a third-party customer service system used by Discord on September 20, leading to a data breach that affected a limited number of users. The breach was publicly disclosed by Discord on a Friday, at which point the company stated it had taken immediate action to isolate the compromised system and launch an internal investigation. This response included revoking the provider’s access, engaging a forensics firm, and contacting law enforcement. The attackers’ primary motivation appeared to be financial, as they demanded a ransom from Discord to prevent the public release of the stolen data.
The compromised information was extensive and highly sensitive. It included personally identifying data such as real names, usernames, and email addresses, as well as IP addresses and any messages or attachments sent to customer service agents. For a small number of users, the hackers also accessed photos of government-issued identification documents, such as driver’s licenses and passports. Additionally, partial billing information was exposed, including the payment type, the last four digits of credit cards, and a history of purchases associated with the accounts. Security experts noted the severity of the breach, with one group stating the stolen data represented “literally peoples [sic] entire identity.”
The potential ramifications of the data leak were highlighted by a threat intelligence company CTO, who suggested the information could be used to solve crypto-related hacks and scams. The CTO noted that many scammers operate on Discord and often fail to use burner emails or VPNs, making the stolen data a valuable tool for investigators. While the full extent of the affected user base remains unclear, and Discord has not publicly named the third-party provider or the specific access vector, the Scattered Lapsus$ Hunters (SLH) threat group initially claimed responsibility for the attack. An image they posted showed a Kolide access control list for Discord employees.
The hackers reportedly confirmed to a cybersecurity publication that the breach was a result of a Zendesk compromise, which allowed them to steal the user data. However, they later backtracked, stating that a different, but known, group was responsible. This incident is part of a broader trend of supply-chain attacks, as seen with the recent compromise of hundreds of companies’ Salesforce instances by a different extortion group. Discord has not provided further comment on the incident.
The breach serves as a stark reminder of the risks associated with third-party service providers. While Discord is a massive platform with hundreds of millions of users, the attack affected only those who had interacted with its support or safety teams, demonstrating how even a limited point of access can lead to the exposure of highly sensitive information. It underscores the importance of stringent security protocols not only for a company’s internal systems but also for all its external partners.
Reference:
