Discord confirmed in early October 2025 that a breach affecting its customer support systems compromised the data of approximately 70,000 users, including government-issued ID photos submitted for age verification and appeals.
The company attributed the incident to a third-party vendor, later identified as Netherlands-based customer experience firm 5CA.
However, 5CA has publicly denied being hacked, stating that its internal systems were not breached and suggesting the issue may have stemmed from human error or misconfigured access permissions. The attackers, reportedly part of a group calling itself Scattered Lapsus$ Hunters, claim to have stolen 1.6 terabytes of data from Discord’s support environment, including over 2 million images.
Discord clarified that its core infrastructure was not compromised and emphasized that the breach was limited to interactions with its Trust & Safety and Customer Support teams. The stolen data may include names, email addresses, Discord usernames, IP addresses, and partial billing information, but not passwords or full credit card details.
The conflicting narratives between Discord and 5CA have sparked debate over vendor oversight and data handling practices. Discord has since revoked the vendor’s access and launched a forensic investigation, but critics argue that the platform’s reliance on third-party services for sensitive operations like ID verification demands stricter safeguards.
The incident has also reignited concerns about how platforms store and manage user-submitted identity documents, especially when those systems are outsourced.