Discord has confirmed a data breach involving a third-party customer service provider that exposed personal information from users who had interacted with the platform’s Customer Support or Trust & Safety teams, including some government-issued ID images submitted for age verification.

The company disclosed the breach on October 3, saying that “an unauthorized party” had compromised a vendor’s systems and accessed information from “a limited number of users.”

Discord said it had revoked the vendor’s access, notified affected users by email, and reported the incident to law enforcement and data protection authorities.

According to the company, the stolen data includes names, usernames, email addresses, IP addresses, the last four digits of some credit card numbers, and communications sent to customer support. Discord also confirmed that “a small number” of government ID images, including driver’s licenses and passports, were accessed from users who had submitted them as part of the platform’s age verification appeals process. Full credit card numbers and passwords were not affected.

“The privacy and security of our users is a top priority,” Discord said in its statement. “Recently, we discovered an incident where an unauthorized party compromised one of Discord’s third-party customer service providers. We recommend impacted users stay alert when receiving messages or other communication that may seem suspicious.”

The breach comes amid heightened scrutiny of online age-verification systems following regulations introduced under the UK’s Online Safety Act and similar proposals in the United States and Australia. Discord began testing biometric and ID-based verification earlier this year through partnerships with k-ID and Veratad, which validate users’ ages through facial recognition or government-issued documents.

While Discord has said that ID scans are deleted immediately after verification, the incident raises concerns about data retention practices by third-party vendors handling sensitive identity information. Analysts have noted that the exposure of even a small number of ID images highlights the potential risks of large-scale age-verification systems.

Cybersecurity outlets have reported that the hacker group Scattered Lapsus$ Hunters has claimed responsibility for the breach and allegedly sought to extort a ransom from Discord. The company said the attackers did not gain direct access to its own systems.

The event follows repeated warnings from privacy experts and regulators that requiring users to submit personal identification to access online platforms creates new targets for cybercriminals. A recent report from Australia’s Age Assurance Technology Trial cautioned against long-term storage of ID data, describing over-retention as a predictable vulnerability.

Discord has not disclosed how many users were affected but said it is contacting all impacted individuals. The company urged users to be cautious of unsolicited messages or links and to verify any communications claiming to come from Discord.