Discord has disclosed that an unnamed third-party customer service provider has been compromised in a recent data breach carried out by an unauthorized group, raising significant safety and security concerns. However, the company stressed that the unauthorized party did not achieve direct access to Discord’s own platform or its internal servers.
Breach Details and Initial Response
Discord shared an update confirming the data breach involved one of its nameless third-party customer service providers. The company stated that the “unauthorized party” gained access to information and data belonging to a limited number of Discord users. These affected users were those who had previously reached out to customer service through the Customer Support channel or the platform’s Trust & Safety teams.
Upon discovering the attack, Discord immediately revoked the compromised third-party customer service provider’s access to its ticketing system to stop the breach. The company asserted that it swiftly launched a thorough investigation, brought in a computer forensics firm to assist with the probe, began “remediation efforts,” and is also actively collaborating with law enforcement. Discord is now in the process of directly contacting the specific user accounts whose data and information were compromised by this security incident.
Compromised User Data and Extortion
Discord’s update provided specific details about the types of data that were compromised. This information included users’ usernames, email addresses, and the last four digits of their credit card numbers. The company also revealed that the threat actors successfully obtained limited corporate data, IP addresses, and the messages exchanged with customer service agents.
According to The Verge, Discord assures the public that highly sensitive information such as full credit card numbers, user passwords, and other highly sensitive data were not accessed by the unauthorized party. However, Discord did confirm that the threat actors managed to access a small number of government IDs, complete with user photos. Discord also reported that the unauthorized party has initiated extortion attempts, demanding a financial ransom for the data they currently possess.
For the immediate future, Discord stated it will continue to work with law enforcement officials to investigate the attack and apprehend the perpetrators. Additionally, the company is conducting a review of its threat detection systems and reinforcing the security controls in place for all of its third-party support providers. Discord also issued a general warning, urging all users to be vigilant for any suspicious messages they may receive on the platform and to promptly seek assistance from its service agents for additional support.
What The Author Thinks
This security breach on a third-party customer service provider highlights a critical weakness in the entire tech ecosystem: companies are only as secure as their least protected vendor. Discord can boast about its own server security, but its outsourcing of user support effectively handed a skeleton key to user data over to an external firm, which was compromised. The fact that government IDs with photos were accessed is particularly concerning, as this type of data cannot be changed and is invaluable to identity thieves, meaning Discord’s responsibility extends far beyond simply sending an email to affected users.
Featured image credit: ilgmyzin via Unsplash
For more stories like it, click the +Follow button at the top of this page to follow us.