Discord Rejects Extortion Demand
Discord is refusing to pay ransom to threat actors who claim to have stolen data belonging to 5.5 million users from the company’s Zendesk support system, as reported by BleepingComputer. The attackers allege that the breach exposed government IDs, partial payment information, and other sensitive details linked to millions of support tickets.
According to Discord, the incident did not involve a direct breach of its own systems but rather a compromise of a third-party service used for customer support. The company has also pushed back on the hackers’ claims, calling them exaggerated and part of an attempted extortion campaign.
Discord Disputes Scale of Exposure
While the attackers allege that 2.1 million photos of government IDs were exposed, Discord says the real number is far smaller, approximately 70,000 users. These ID photos were collected for age verification purposes and stored by a vendor that supports Discord’s customer verification process.
The threat actors claim they accessed Discord’s Zendesk environment for 58 hours starting on September 20th, 2025. According to their account, the breach stemmed not from a vulnerability in Zendesk but from a compromised account belonging to a support agent employed through an outsourced business process outsourcing (BPO) provider.
The hackers say this access allowed them to exploit an internal support tool known as “Zenbar,” giving them visibility into user data such as email addresses, phone numbers, and MFA-related details. They claim to have stolen 1.6 terabytes of data in total, including 1.5 TB of ticket attachments and 100 GB of transcripts, covering roughly 8.4 million tickets tied to 5.5 million unique users.
Payment and Data Claims
The attackers allege that some tickets contained partial payment information and that Zendesk integrations with Discord’s internal systems allowed them to perform millions of API queries for additional data. They initially demanded $5 million in ransom, later reducing the amount to $3.5 million during negotiations that reportedly took place between September 25th and October 2nd.
After Discord ended communications and issued a public statement about the incident, the hackers said they were “extremely angry” and threatened to release the data publicly if their demands were not met.
Ongoing Investigation
While Discord maintains that its internal systems were not compromised, this incident highlights the risk of third-party providers becoming weak links in an organization’s broader security chain. Outsourced vendors like BPOs often have privileged access to sensitive platforms, making them ideal targets for attackers seeking indirect access to customer data.
In order to avoid breaches like this one, supply chain security must extend beyond contracts and compliance checklists. Organizations need continuous assurance, validating the security posture of every vendor, enforcing least-privilege access, and monitoring integrations in real time.
For a deeper look at how to build a program that enforces this in practice, read our guide on developing a vendor risk management program.
