Date of Incident:
September 20, 2023
Overview:
In a data breach disclosed on October 4, 2025, Discord experienced a security incident via a third-party customer service provider on September 20, 2023. The attack exposed partial payment data and personally identifiable information, including names, IDs, and email addresses of users who interacted with Discord’s support teams. The breach involved exploiting a third-party platform, with hackers using phishing and credential stuffing to gain access, demanding a ransom afterwards. As a result, sensitive information, especially related to crypto crimes, was compromised. The breach revealed vulnerabilities in account access and data handling within the support infrastructure.
>>Outpace Attackers With AI-Based Automated Penetration Testing
Impact:
Partial payment information and personally identifiable data including names, government-issued IDs, usernames, email addresses, IP addresses, messages and attachments sent to customer service were compromised for a limited number of users who interacted with Discord’s customer support and Trust and Safety teams. Hackers demanded ransom. The breached data could help uncover crypto-related hacks and scams.
Details:
The breach involved exploitation of a third-party customer service platform used by Discord support teams. Attackers gained unauthorized access allowing exfiltration of sensitive user data including Personally Identifiable Information (PII) and partial payment details. MITRE ATT&CK techniques include T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts) for lateral movement, and T1005 (Data from Local System). The attackers used phishing and credential stuffing to compromise accounts with support access. PoC behavior included malicious payload delivery via web requests capturing ticket content, leveraging JSON data exfiltration. IOCs involve anomalous login IP addresses, suspect API calls in logs, and specific file hashes of attacker tools on the third-party platform. Log artifacts show repeated failed authentications followed by successful privilege escalations.
Remediation:
Discord advised immediate rotation of credentials for support staff and enhanced multi-factor authentication (MFA) enforcement. The third-party provider patched vulnerability in their customer service platform. Temporary mitigations include limiting support access scope and continuous auditing of API call logs for unusual activity. Discord also recommended users to monitor accounts for phishing attempts and change passwords as precaution.
Takeaway for CISO:
The partial exposure of PII and payment info through a third party underscores the critical risk of supply chain and third-party breaches. CISOs should enforce stringent vetting and monitoring of vendor access to sensitive data and apply zero trust principles, especially for customer support access. Rapid detection and incident response play a pivotal role in minimizing impact.
Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
Related Posts:
