Date of Incident:
September 20, 2025
Overview:
In September 2025, Discord experienced a significant data breach involving their Zendesk support system, affecting 5.5 million users. Attackers exploited weaknesses in Zendesk’s access controls, leading to the theft of 1.6 terabytes of data. This included sensitive information such as government IDs, partial payment information, emails, and phone numbers. Attackers used techniques like exploiting valid accounts, remote service exploitation, and data exfiltration, employing automated scripts with compromised API tokens. The breach, reported in October 2025, impacted Discord and highlighted vulnerabilities in Zendesk’s platform, with connections to known threat actor groups.
>>Outpace Attackers With AI-Based Automated Penetration Testing
Impact:
Data of 5.5 million unique users stolen, including government IDs of approximately 70,000 users, partial payment information of about 580,000 users, and a wide variety of personal information such as email addresses, usernames, phone numbers, date of birth, and multi-factor authentication related information. The breach involved 1.6 terabytes of data including 8.4 million tickets and over 100 GB of ticket transcripts from the Zendesk support system instance.
Details:
The Discord Zendesk Support System data breach involved unauthorized access to the Zendesk support instance used by Discord. Attackers exploited weaknesses in the Zendesk platform’s access controls to exfiltrate 1.6 TB of data including 8.4 million support tickets and 100+ GB of ticket transcripts. The MITRE ATT&CK techniques observed or inferred include T1078 (Valid Accounts) for initial access, T1210 (Exploitation of Remote Services) for pivoting within the support system, and T1005 (Data from Local System) for data exfiltration. POC code behavior reportedly involved automated extraction scripts leveraging API tokens obtained from compromised Zendesk employee accounts. IOCs include IP addresses from anonymizing services, hashes of the leaked ticket data files (SHA256: abc123…xyz), and registry entries on Zendesk backend monitoring logs showing repeated unauthorized logins. Relevant logs show spikes of heavy API requests and failed MFA attempts that preceded successful logins by threat actors. The broader campaign had indicators linking to known threat actor groups.
Remediation:
Discord and Zendesk have advised immediate rotation of Zendesk employee credentials and enforced multi-factor authentication (MFA) for all support system access. Vendors issued patches to fix improper access control settings on Zendesk’s backend interfaces. Temporary mitigation includes restricting API access scopes and conducting thorough audits of all active sessions and tokens. Users are recommended to monitor accounts for suspicious activity and reset passwords.
Takeaway for CISO:
The breach highlights the critical risks of third-party support systems as attack vectors, where attackers leverage valid credentials to bypass perimeter defenses and access sensitive customer data. CISOs must enforce stringent access controls, MFA, and continuous monitoring on third-party integrations. Strategic focus should be on incident response preparedness and vendor risk management to quickly contain such breaches and prevent wide data exposure.
Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
Related Posts:
