Chat and gaming platform Discord has confirmed that hackers stole sensitive user information from one of its third-party customer service providers, in the company’s third such security incident this year.
The breach exposed data including usernames, email addresses, billing information, IP addresses, support messages and, in some cases, photo IDs submitted for age verification. Discord, with over 150 million monthly active users, said it is notifying affected individuals and has severed ties with the compromised vendor.
Incident Details
The unauthorized access targeted a third-party provider handling Discord’s customer support tickets, the company said in a blog post and emails to users. Hackers gained entry to the provider’s systems, extracting data from support interactions. The stolen information varied but potentially included:
- Discord usernames and user IDs
- Email addresses
- Billing details, such as payment types, purchase histories and the last four digits of credit card numbers
- IP addresses
- Messages and attachments shared with support agents, including photos and documents
- Proof-of-age IDs for users verifying they are over 18
Discord emphasized that full credit card numbers, passwords or direct messages outside support channels were not compromised. The company did not specify the number of affected users but described it as a “limited” subset who had contacted customer service recently.
This marks at least the third breach involving Discord’s support operations in 2025, following similar incidents in April and July that leaked ticket data and email addresses. In the latest case, hackers contacted Discord demanding a ransom to withhold the data from public release, according to sources familiar with the matter.
Company Response
Discord said it detected the breach promptly, terminated access to the affected provider and engaged external cybersecurity experts for an investigation.
“We take the security of our users’ data very seriously and are committed to protecting it,” a Discord spokesperson said in an emailed statement.
The company is notifying impacted users via email, advising them to monitor for suspicious activity, change passwords and enable two-factor authentication. Discord has reported the incident to relevant authorities and is cooperating with law enforcement.
To mitigate future risks, the platform is reviewing all third-party vendor relationships, enhancing monitoring and implementing stricter access controls for support systems. Users have begun receiving notification emails, with some sharing details on forums like Reddit, confirming the scope of exposed data.
Broader Context
Data breaches via third-party providers have become a persistent vulnerability for tech companies, as attackers exploit weaker links in extended supply chains. Discord, acquired by Microsoft in 2023, has faced heightened scrutiny over its security amid its popularity among gamers, online communities and younger demographics.
Earlier incidents this year included an April hack leaking support ticket data for thousands of users and a July breach exposing email addresses and partial payment information.
The gaming and social media sectors have experienced a surge in cyberattacks, with Sony’s PlayStation Network hit by a major distributed denial-of-service attack in September, and Twitch reporting a data leak in August affecting streamer payouts.
Experts attribute the increase to sophisticated ransomware groups and nation-state actors targeting valuable user data for identity theft, extortion or espionage.
In the U.S., the Federal Trade Commission has intensified enforcement on data security, imposing fines like the $148 million penalty on Uber in 2024 for inadequate protections. Globally, regulations such as the EU’s General Data Protection Regulation (GDPR) levy penalties up to 4% of annual revenue for breaches, with similar frameworks emerging in Asia and Latin America.
Market Reaction
Shares in Microsoft, Discord’s parent company, fell 0.8% in New York trading on Monday, amid broader concerns over cybersecurity risks in the tech sector. Discord does not report separate financials, but as part of Microsoft’s gaming division, it contributes to the unit’s $20 billion annual revenue.
Analysts at Wedbush Securities said the breach, though limited, could undermine user trust and slow growth in Discord’s premium Nitro subscriptions, which reached 25 million in 2025.
JPMorgan maintained a “neutral” rating on Microsoft, citing escalating cyber threats as a potential drag on valuations.
Challenges for Users
Affected users face heightened risks of phishing attacks, identity theft and spam, as leaked emails and personal details can be exploited by cybercriminals. Discord advised monitoring credit reports, being cautious of unsolicited communications and using unique passwords for each service.
Privacy advocates, including the Electronic Frontier Foundation, urged stronger data minimization practices, arguing that companies collect excessive unnecessary information from users. Younger users, who make up a significant portion of Discord’s audience, may be particularly vulnerable to scams targeting leaked IDs.
Quotes
“In light of this incident, we have taken immediate action to secure our systems and are working diligently to support those impacted,” the Discord spokesperson added.
Cybersecurity expert Brian Krebs, founder of Krebs on Security, commented: “Third-party breaches are the Achilles’ heel of modern tech ecosystems. Companies must vet vendors as rigorously as their own operations.”
Molly White, a researcher at the Center for Democracy & Technology, said: “Repeated incidents at Discord highlight the need for systemic changes in how platforms handle outsourced data.”
Broader Industry Trends
The incident underscores the growing reliance on third-party services in tech, from customer support to cloud storage, which expands attack surfaces and complicates oversight. According to IBM’s 2025 Cost of a Data Breach Report, the average breach costs $4.88 million, up 10% from last year, with notification and response adding significant expenses.
Ransomware attacks, often behind such breaches, have surged 20% year-over-year, per Chainalysis, with groups like LockBit and Conti targeting high-profile victims. In response, companies are investing in zero-trust architectures and AI-driven threat detection, with global cybersecurity spending projected to reach $212 billion in 2025.
Regulators are pushing for accountability: The U.S. Securities and Exchange Commission now requires public companies to disclose material breaches within four business days, a rule effective since 2024.
In Europe, the Digital Operational Resilience Act (DORA), which took effect in January 2025, mandates financial firms to oversee third-party risks, with similar frameworks emerging in Asia. For social platforms like Discord, which handle sensitive user communications, breaches can lead to reputational damage and user churn, as seen with Facebook’s 2018 Cambridge Analytica scandal.
Legislation targeting younger users, such as the U.S. Kids Online Safety Act passed in July 2025, imposes stricter data protection requirements on platforms with significant underage audiences.
Outlook
Discord expects to complete its investigation in the coming weeks and will provide further updates to users as needed. The company plans to enhance vendor audits and implement multi-factor authentication for all support access points.
Analysts at Gartner forecast that by 2027, 75% of enterprises will require third-party providers to meet stringent security standards, up from 45% today. As cyber threats continue to evolve, incidents like this emphasize the importance of proactive defenses, robust incident response plans and transparent communication to maintain user trust in an increasingly digital world.
