Discord says sensitive info stolen during cyberattack on customer service provider

Instant messaging giant Discord warned its users that a recent cyberattack on a third-party customer service provider exposed the sensitive information of an unstated number of customers. 

In a notice on October 3, the company said hackers stole information concerning users who had communicated with their customer support or trust and safety teams. The cybercriminals attempted to extort Discord after stealing the information on September 20, the company explained. Discord, used widely in the gaming community, has more than 200 million active users. 

The data stolen includes names, Discord usernames, emails, IP addresses and messages that were exchanged with customer service agents. The hackers also accessed billing information that ranged from the last four digits of a credit card to a user's purchase history. 

Training materials and internal presentations were also stolen by the cybercriminals. 

In a “small number of cases,” the hackers stole images of government IDs like driver’s licenses and passports that were provided in cases where users were appealing age determinations. Discord said users who had their IDs accessed will be told in emails. 

Discord declined to say how many users were impacted or what third party was breached when reached for comment by Recorded Future News. 

“Recently, we discovered an incident where an unauthorized party compromised one of Discord’s third-party customer service providers. The unauthorized party then gained access to information from a limited number of users who had contacted Discord through our Customer Support and/or Trust & Safety teams,” the company said. 

“As soon as we became aware of this attack, we took immediate steps to address the situation. This included revoking the customer support provider’s access to our ticketing system, launching an internal investigation, engaging a leading computer forensics firm to support our investigation and remediation efforts, and engaging law enforcement.”

Discord said it is in the process of contacting victims and has already notified “relevant” data protection authorities. The company is also reviewing the security controls in place that govern third-party support providers.

The third-party company at fault has had its access to Discord’s ticketing system revoked and the statement says the hackers never accessed Discord directly.