Discord has disclosed a security incident in which an unauthorized party gained limited access to a third-party customer service system used by the messaging platform, resulting in the theft of support tickets and related user records. The company said it moved quickly to isolate the provider from its ticketing system, revoke access, engage forensic specialists and notify law enforcement as it investigates the scope and impact of the intrusion.
Discord said the incident occurred on September 20 and that the compromised records include personally identifying information and support interactions submitted by users to the platform’s customer support team. The company said it took immediate steps to cut off the provider’s access to tickets, launch an internal probe and retain outside digital forensics expertise to assist with remediation.
“We revoked the customer support provider’s access to our ticketing system, launched an internal investigation, engaged a leading computer forensics firm to support our investigation and remediation efforts, and engaged law enforcement.”
Support Ticket System Compromise
According to Discord’s advisory, attackers accessed the third-party system used to manage support requests and extracted tickets that contained user-supplied information. The company did not disclose the provider’s name or the precise technical vector used to gain access, saying only that access was “limited” and that the provider was isolated from Discord’s systems once the incident was discovered.
The compromised data set reportedly includes real names and usernames, email addresses and other contact details that users provided when opening support tickets. In many cases, users attach screenshots, logs or other materials to help troubleshoot account issues; Discord said some messages and attachments submitted to support agents were also exposed.
Data Types Exposed and Risk to Users
The breach appears to have exposed a broad range of personally identifying information. Discord confirmed that the attackers accessed IP addresses associated with account activity, message content and attachments sent to support staff, and, in a smaller subset of cases, photographs of government-issued identification documents such as driver’s licenses and passports.
Partial billing information was also among the compromised fields, the company said. That data included payment type, the last four digits of credit cards used for purchases and purchase histories tied to affected accounts. Discord warned that the combination of contact details, identification documents and partial payment data could allow malicious actors to mount highly convincing phishing and social-engineering campaigns.
Security analysts cautioned that support-ticket breaches are particularly sensitive because ticket content often contains detailed account context and troubleshooting steps that can reveal recovery methods, linked services and tokens. That intelligence can be exploited to seize accounts, de-anonymize users, or correlate identities across platforms.
In the wake of the disclosure, various threat actors and online groups circulated claims and samples related to the incident. One group posted an image that purported to show an access control list used by Discord employees for administrative console access; the graphic referenced an employee device-trust system that integrates with a multi-factor authentication provider.
Shortly after the incident became public, an online actor claiming affiliation with a group known as Scattered Lapsus$ Hunters (SLH) said it was responsible for the breach and indicated the intrusion involved a third-party support platform. SLH later clarified that while it had commented on the incident, other groups were involved in similar compromises and attribution remained uncertain.
Discord has not publicly confirmed the identity of the threat actor or whether claims by specific groups are accurate. The company said it is continuing forensic work to determine which tickets and user records were accessed, how many users are affected and whether any downstream misuse of the data has occurred.
“This incident appears to be financially motivated,” a company spokesperson said, noting that the attackers demanded a ransom in exchange for not publishing or distributing the stolen information.
Potential Consequences and Response Measures
Security professionals warned that leaked support tickets and associated identification documents represent a rich dataset for fraudsters and investigators alike. In some instances, the information could be used to trace the origins of scams or provide leads in criminal investigations; in other cases, it could materially aid criminals seeking to recover or compromise cryptocurrency wallets, impersonate users or coerce account recovery processes.
Discord advised users to be vigilant: treat unexpected emails, texts or direct messages that reference support interactions or account details with suspicion; avoid clicking links or responding to requests for credentials; and enable multi-factor authentication on accounts where available. Users who submitted scans of identification documents to verify their accounts were urged to monitor financial statements and report suspected identity theft to appropriate authorities.
For organizations and security teams, recommended steps include monitoring for credential-stuffing and targeted phishing campaigns that leverage the stolen data, tightening verification procedures for customer support interactions, and reviewing third-party access controls and audit logging for ticketing and service platforms.
