Discord has stated that it will not pay a ransom to the attackers who claim to have stolen data on 5.5 million users. The stolen data includes copies of government IDs and partial payment information for some users. The company says the breach actually affected about 70,000 people.
As a reminder, last week Discord representatives reported a cybersecurity incident. The attack occurred back on September 20, 2025, and was linked to the compromise of a third-party vendor that provides customer support services to the company.
Discord stated that it had taken all necessary measures to isolate the compromised vendor from its ticketing system and had launched an investigation. At the time, it was reported that the breach affected “a limited number of users” who had interacted with Discord Support or Trust & Safety specialists.
Among the compromised data were:
- users’ real names and usernames;
- email addresses and other contact details provided to support staff;
- IP addresses, messages, and attachments sent to support;
- partial payment information (payment type, last four digits of the bank card number, and purchase history associated with the compromised account).
Worse yet, hackers gained access to photos of identity documents (driver’s licenses, passports, student IDs, and so on) for a small number of users who had provided documents to verify their age.
At the time, the company did not disclose the exact number of affected users, nor the name of the third-party vendor that was impacted by the attack. However, according to Bleeping Computer, hackers breached Zendesk, which allowed them to steal Discord users’ data. A group calling itself Scattered Lapsus$ Hunters (a coalition of members from the hacking groups Scattered Spider, LAPSUS$, and Shiny Hunters) claimed responsibility for the attack.
The attackers claimed to have stolen data on 5.5 million users, and the stolen files include copies of 2.1 million identity documents and partial payment information.
Discord representatives have now issued a new statement, in which the company disputes the hackers’ claims and says that copies of documents may have been compromised for roughly 70,000 users.
“First, as we already said on our blog, this is not a breach of Discord but of a third-party service we use for customer support,” company representatives say. “Second, the figures being circulated [by the attackers] are incorrect and are part of an extortion attempt. According to our data, approximately 70,000 users worldwide were affected, whose ID photos may have been compromised. Our contractor used these images to verify requests related to age confirmation. Third, we are not going to reward the perpetrators for their illegal actions.”
At the same time, the hackers told BleepingComputer that Discord is downplaying the scope of the breach. According to the attackers, they managed to steal 1.6 TB of data from the company’s Zendesk instance, and they maintained access to that instance for 58 hours (starting on September 20).
The attackers say the leak did not result from a Zendesk vulnerability or breach, but from the compromise of an account belonging to a support employee hired through a BPO (Business Process Outsourcing) contractor.
It is also alleged that Discord’s Zendesk instance gave the hackers access to a support application called Zenbar, which allowed them to perform various operations — for example, disabling multi-factor authentication and viewing users’ phone numbers and email addresses.
Using this access, the attackers allegedly stole 1.6 TB of data (about 8.4 million tickets linked to 5.5 million unique users, of which roughly 580,000 contained some form of payment information).
In a conversation with journalists, the attackers admitted they do not know the exact number of stolen IDs, but believe there are more than 70,000, since the hackers counted a total of 521,000 tickets related to age verification.
One of the attackers told the publication that the group demanded a ransom of 5 million US dollars from the company, then reduced the amount to 3.5 million US dollars, and negotiated with Discord from September 25 to October 2, 2025.
After Discord broke off negotiations and published an official statement about the incident, the hackers said they were “extremely irritated” and now plan to release the data publicly if they do not receive a ransom.
Bleeping Computer emphasizes that they are unable to independently confirm the authenticity of the hackers’ claims and verify the samples of stolen data they provided.