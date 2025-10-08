Hackers Threaten to Leak 2.1M Discord Users’ Passports, Licenses in Extortion Attack

Discord’s Zendesk support was breached, exposing 2,185,151 age‑verification photos tied to 2.1M users’ passports and driver’s licenses, and the attackers are now extorting Discord to stop a wider leak.

Hackers have reportedly stolen more than two million government identification photos from Discord’s third-party support system and are now threatening to leak them unless the company pays a ransom.

The breach, which occurred on September 20, involved Discord’s Zendesk instance, a customer service platform used by the company to handle user support and trust-and-safety inquiries.

2.1M Passport and License Photos Leaked in Discord Vendor Hack

According to cybersecurity research group VX-Underground, the attackers claim to have exfiltrated 1.5 terabytes of data, including approximately 2,185,151 images tied to age verification appeals.

These images consist of passports and driver’s licenses submitted by Discord users attempting to verify their age after being flagged by the platform’s automated moderation system.

Chat, we are cooked



Discord is being extorted by the people who compromised their Zendesk instance



They've got 1.5TB of age verification related photos. 2,185,151 photos



tl;dr 2.1m Discord users drivers license and/or passport might be leaked. Unknown number of e-mails

In an update posted to its blog on October 3, Discord confirmed that an “unauthorized party” had accessed its third-party Zendesk instance. The company said the incident affected a “limited number of users” who had contacted its Customer Support or Trust & Safety teams.

Discord emphasized that its own servers were not breached, and no user passwords, private messages, or authentication data were exposed.

However, the attackers’ claims go far beyond Discord’s initial description of a limited incident. VX-Underground shared screenshots of sample ID images allegedly taken from the breach, saying Discord was being extorted for the stolen data.

On September 20, Discord experienced a security incident involving its customer service platform. This incident resulted in the exposure of users' names, usernames, email addresses, limited payment information, IP addresses, and messages exchanged with customer service. pic.twitter.com/mbrbThQw7i — Discord Previews (@DiscordPreviews) October 3, 2025

The leaked files reportedly include photos of passports, driver’s licenses, and other identity documents used for verification. Discord has not confirmed the authenticity of the leaked samples but acknowledged that some ID photos were among the data accessed.

While Discord’s official disclosure sought to minimize the scale of the incident, VX-Underground and other cybersecurity observers presented a different picture, alleging that the attackers are in possession of over 2.1 million user verification photos.

The group also published samples of the stolen documents to substantiate their claims and confirmed that Discord is being extorted to prevent a public release.

Although Discord clarified that full credit card numbers, CCV codes, and private messages were not exposed, experts warn that the stolen details could still be exploited for phishing, identity theft, or social engineering attacks.

Update: We have become aware that the perpetrators of this attack claim to have obtained 1.5 TB of age-verification photos totalling 2,185,151 images, which they are now using to extort Discord. https://t.co/iCPl7ljQLy pic.twitter.com/cTrnDCaTeu — Discord Previews (@DiscordPreviews) October 8, 2025

The breach has reignited concerns over how digital platforms handle identity verification data. Discord users have expressed frustration online, noting that the company previously stated age verification information would be deleted immediately after confirmation.

Critics say the storage of appeal-related documents created an unnecessary privacy risk, as these images were kept on external servers.

Discord Hack Ignites UK Debate Over Digital ID Plans

Security analysts say the breach highlights a recurring flaw in data-handling practices: even when companies outsource functions like customer support, sensitive information can remain exposed if vendors are not held to the same security standards.

In this case, attackers appear to have targeted Discord’s Zendesk environment directly rather than its primary infrastructure, taking advantage of the external system’s access privileges.

The fallout from the incident has also spilled into broader political discussions in the United Kingdom, where the news has fueled public opposition to the government’s planned national Digital ID program.

I have received countless requests to campaign against digital ID.



The petition, at 2.8 million signatures shows:



This is no fringe view. It is a national outcry.



See here. 👇https://t.co/fNXPs2Ku4r — David Davis MP (@DavidDavisMP) October 8, 2025

Following reports of the Discord hack, a petition opposing the initiative has surpassed 2.8 million signatures, with critics citing the breach as proof of the dangers of centralized digital identification systems that store large volumes of sensitive data.

The Discord attack follows a series of similar intrusions targeting third-party service providers across the tech industry. Zendesk, which provides helpdesk software to numerous firms, has been used as a backdoor in several past attacks.

Discord said it is now reviewing all external vendors and auditing access permissions to prevent future incidents.

As of this week, the extortionists have not disclosed the ransom amount or the deadline for payment. Law enforcement agencies in the United States and Europe are reportedly investigating the case, but the authenticity of the hackers’ full dataset has yet to be independently verified.

The breach comes amid a renewed focus on digital identity security and user privacy. Last year, Privado ID, a spin-off from Polygon Labs, introduced a web wallet that allows users to verify their age and identity using zero-knowledge proofs, a cryptographic method that confirms personal details without exposing underlying data.

The technology has been touted as a privacy-preserving alternative to traditional document uploads like those used by Discord’s age verification process.