In light of the recent announcement made last week concerning a security issue connected to one of our third-party vendors responsible for customer service operations, we would like to take this opportunity to clarify and correct the inaccurate statements currently being shared online by those accountable for this incident. Some misleading claims have been circulated, and it is important to provide accurate information and contextual details to ensure our community fully understands what occurred.
To begin, as we explicitly explained in our official blog post, this event did not constitute a direct breach of Discord’s internal infrastructure, systems, or databases. Instead, the security incident occurred within an external third-party service provider that assists us in managing and processing customer support requests. In essence, while Discord’s core platform and user data remain secure, the compromise involved a separate vendor contracted to handle specific service tasks on our behalf. Clarifying this distinction is crucial for understanding where the exposure took place and why it did not affect Discord’s own network or servers.
Second, some of the figures and claims being spread online regarding the scope and scale of the incident are simply inaccurate. These numbers are being exaggerated and misrepresented as part of an attempted extortion scheme directed at Discord, in which the perpetrators are seeking an unlawful financial gain. In reality, after conducting a detailed and thorough internal investigation in collaboration with cybersecurity experts, we have determined that approximately seventy thousand (70,000) user accounts worldwide may have had government-issued identification photos exposed. These documents were previously collected and stored by our external vendor for one specific and legitimate purpose: to review and verify users’ age-related appeals in cases where proof of age was required. It is essential to emphasize that no other types of personal data were exposed beyond what was necessary for these verification processes.
Third, and of equal importance, Discord will not, under any circumstances, succumb to coercion or financially reward those responsible for these unlawful actions. Supporting or legitimizing criminal behavior by offering payment or acquiescence would not only contradict our principles but also encourage further malicious activity within the broader digital ecosystem. We remain committed to upholding legal and ethical standards in every decision related to this matter.
We have taken comprehensive measures to safeguard all affected users. Every individual whose information may have been involved in this incident has been personally contacted through secure and verified channels to ensure transparency and support. At the same time, our team continues to collaborate proactively with law enforcement agencies, data protection authorities, and independent security professionals to assist in investigating the perpetrators and mitigating any potential risks resulting from the exposure. Furthermore, we have already secured all systems connected to the affected environment and have permanently terminated our relationship with the compromised service vendor to prevent any recurrence of this issue.
At Discord, we regard the protection and confidentiality of your personal information as a central responsibility and a core element of the trust you place in our platform. We fully recognize the unease and concern that this situation may cause to our users, and we wish to assure you that every possible step is being taken to strengthen defenses, improve oversight of external partners, and reinforce data protection practices moving forward. Your privacy remains our highest priority, and we continue to dedicate substantial resources toward maintaining a secure, transparent, and resilient environment for our community worldwide.
Sourse: https://www.theverge.com/news/797051/discord-government-ids-leaked-data-breach
