Hackers infiltrate Discord’s ID checks, and it's bad news — 70,000 users' personal data exposed

News
By published

Discord confirms a major third-party breach exposing 70,000 users’ ID photos, raising fresh concerns about the risks of mandatory age verification.

Discord desktop app showing The Division server
Discord has been the victim of a serious data breach linked to age verification. (Image credit: Windows Central)

As reported on by the BBC, on September 20, 2025, a third-party provider called 5CA was compromised. The company supports Discord’s customer service and age verification appeals.

The breach lasted 58 hours, and is believed to be carried out by the groups known as Scattered Spider, LAPSUS$ and ShinyHunters. Discord confirmed the incident on October 2, 2025, stating that around 70,000 users were affected worldwide.

What data was exposed — and what wasn’t

The more our personal data is sent to places like this, the more people will try and steal it. (Image credit: Getty Images | quantic69)

From this breach, hackers managed to obtain several types of data, including:

  • Government-issued IDs such as passports and driver’s licenses
  • Emails, full names, usernames, and contact details
  • Limited billing data, payment types used, last four digits of card numbers, and purchase history
  • IP addresses, customer support messages, and internal training documentation

Fortunately for users, full credit card numbers, CVV codes, passwords, and private messages were not compromised.

Hackers initially claimed to have obtained over one million IDs, but Discord refuted this, confirming that around 70,000 IDs were stolen.

While that number is still significant, the incident raises larger concerns about the growing use of mandatory age verification systems. In the UK, for instance, such checks are now required across many websites.

Personally, I find this approach troubling — it risks pushing younger users toward unsafe sites that don’t require ID, or encouraging the use of VPNs to bypass restrictions.

Hackers’ ransom demands and Discord’s response

Naturally, the bad actors behind this want cash. (Image credit: Getty Images | Witthaya Prasongsin)

Hackers demanded a ransom from Discord, initially asking for $5 million before lowering it to $3.5 million. Discord refused to pay, with negotiations reportedly taking place between September 25 and October 2, 2025.

In a statement, the company said, “We will not reward those responsible for their illegal actions.” Since then, Discord has revoked 5CA’s access, launched an internal investigation, and notified the relevant authorities.

If your data was affected, Discord has sent an email notification to impacted users. These messages come from noreply@discord.com, so it’s worth checking your inbox if you’ve submitted ID verification details.

Why this breach matters for age verification laws

Discord's breach is a timely reminder of the potential issues with mandatory age verification services.

Unfortunately, this kind of situation could become the norm as more countries, including the UK, now require users to verify their ages under new online safety laws. In the UK, the Online Safety Act came into full effect in July 2025, making age verification mandatory across many platforms.

In this case, Discord’s age verification appeals system was the specific target. Users flagged as underage were asked to submit government ID photos to confirm their age. These manual submissions were handled by 5CA, a third-party vendor, not Discord itself.

That distinction doesn’t make it less concerning. Privacy remains one of the main reasons people oppose mandatory ID checks. Personally, I don’t mind sharing my ID when it’s my choice — but being forced to hand it over feels wrong. For UK users like me, that lack of choice leaves a sour taste.

As far as I’m aware, this is the first major attack tied directly to age verification infrastructure, and it comes just months after such systems were introduced. It’s a worrying start to what could become a global problem. We were lucky that payment information wasn’t compromised this time, but it raises a serious question — how long until that happens? Even without it, the idea that hackers now possess thousands of government-issued IDs and IP addresses is deeply unsettling.

As of October 10, 2025, Discord is still working with law enforcement. So far, the stolen data has not been released publicly, though the hackers have threatened to publish it if their demands aren’t met.

I think I’ve made my stance on our online safety–driven future clear, but I’d be interested to know how others feel and if opinions have changed from our last poll on the topic. Is this trade-off worth it? Privacy may be becoming a thing of the past, but in theory, it’s meant to offer better protection for users online. For now, it remains to be seen whether companies — including Discord — can truly keep that data secure.

Click to follow Windows Central on Google News

Follow Windows Central on Google News to keep our latest news, insights, and features at the top of your feeds!

TOPICS
Adam Hales
Adam Hales
Contributor

Adam is a Psychology Master’s graduate passionate about gaming, community building, and digital engagement. A lifelong Xbox fan since 2001, he started with Halo: Combat Evolved and remains an avid achievement hunter. Over the years, he has engaged with several Discord communities, helping them get established and grow. Gaming has always been more than a hobby for Adam—it’s where he’s met many friends, taken on new challenges, and connected with communities that share his passion.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.