Discord says the government IDs of just 70,000 customers were compromised in last week’s third-party breach, which has been claimed by the Scattered LAPSUS$ Hunters cybercriminal group. The attack exposes the risks of using third-party vendors to comply with the new age verification laws passed in many nations.
In an updated post on its website, the instant messaging platform said the breach affected only “a limited number of users who had communicated with our Customer Support or Trust & Safety teams.
“Of the accounts impacted globally, we have identified approximately 70,000 users that may have had government-ID photos exposed, which our vendor used to review age-related appeals,” Discord said.
Calling the latest update "very concerning," Nathan Webb, principal consultant at Acumen Cyber, says that the fact that 70,000 individuals potentially had their data breached "highlights how threat actors have quickly set their sights on processes and organizations that facilitate age verification.”
Webb says threat actors have become “aware of the high volume of sensitive, often non-changeable, data they can access via a single successful attack.”
Although Discord is headquartered in San Francisco, Webb points out that with the UK's Online Safety Act in force, the UK government is now partnering with several suppliers to carry out age verification on websites, expanding the risk of third-party attacks on social media and gaming platforms.
“Some of these organizations operate outside the UK, potentially exposing sensitive citizen data to regions that may not adhere to the same data protection rules,” he explains.
Big claims by Scattered LAPSUS$ Hunters
Meanwhile, the notorious Salesforce hacker gang, Scattered LAPSUS$ Hunters, claims it had gained access to Discord’s Zendesk instance for 58 hours starting September 20th, stealing 1.6TB of customer data, according to a report by Bleeping Computer from Wednesday.
Discord has not provided the amount of users compromised, but Scattered claims to have information on about 5.5 million users.
Furthermore, the ransomware group, which says it has not counted the number of IDs it has, noted that it has about 521,000 age-verification tickets in its possession, a far cry from the 70K Discord revealed in Wednesday’s update.
Overall, the stolen data, which includes roughly 1.5TB of ticket attachments and 100GB of ticket transcripts, is reported to consist of 8.4 million tickets. The hackers also exposed partial payment information for about 580,000 users.
The ransomware gang also told the media outlet that it had broken into Zendesk’s support application “Zenbar” to carry out the hack, allowing the bad actors to “perform various support-related tasks, such as disabling multi-factor authentication and looking up users’ phone numbers and email addresses.”
In a statement sent to Cybernews, Zendesk reiterated that the “‘Zenbar’ application is not a support application developed or maintained by Zendesk, but was built by Discord for their own use and is not made available by Zendesk for use by other customers.”
Risks of outsourcing age verification
Chris Hauk, Consumer Privacy Champion at Pixel Privacy, says the Discord breach “underscores the concerns many privacy advocates, myself included, have about forcing websites to require users to submit images of their driver's licenses and other personal and financial information before being allowed to access adult and other types of content.”
Hauk warns that cybercriminals often target databases containing personal and financial information, "making info like driver's licenses, social security numbers, credit card and banking account numbers, and other info a valuable commodity among the world's bad actors."
"When third parties are involved, like in this case, it increases the risk to users' information, as it increases the attack surface for breaches such as this," Hauk says.
In the meantime, Webb stresses that despite age verification being outsourced, businesses still have an accountability to ensure that data is stored appropriately, adding that "delegating certain processes does not absolve the responsibility to uphold data protection and security standards.”
Webb also points out that “proper documentation plays a crucial role in understanding and managing these risks," such as identifying which third parties and remote access tools have access to specific systems and data.
He says this allows organizations to easily pinpoint areas that require enhanced monitoring and tighter security controls.
Additionally, Webb says adopting more robust authentication factors “can significantly reduce the likelihood of account takeovers, such as using Passkeys, strong multi-factor authentication (MFA), and physical security tokens.”
What data was compromised?
In its update, Discord blamed the breach on a hack of global CX provider 5CA (which uses Zendesk software) as the compromised source, stressing that the hack “was not a breach of Discord.”
Discord says once it became aware of the intrusion, it immediately revoked the customer support provider’s access to its ticketing system, alerted law enforcement, and is continuing to investigate.
Besides the governemnt IDs, customer data confirmed by Discord to have been impacted includes:
- Name, Discord username, email, and other contact details if provided to Discord customer support
- Limited billing information, such as payment type, the last four digits of your credit card, and purchase history, if associated with your account
- IP addresses
- Messages with its customer service agents
- Limited corporate data (training materials, internal presentations)
Discord said it was in the process of sending emails out to affected customers.
In August, malicious actors claimed to gave scraped billions of user Discord messages and a trove of voice sessions, files, and user profiles.
Your email address will not be published. Required fields are markedmarked