A newly filed data breach notice claims more than 10 million Discord users may have been affected, reigniting concerns of a data breach. However, the report that the authorities published looks suspicious.
-
Data breach notice filed with the Maine Attorney General's Office claims over 10 million Discord users were impacted by "insider wrongdoing," but the report is riddled with red flags that suggest it may be bogus.
-
The report was submitted by someone named "Xavier Morrison" using a personal email and what appears to be a fake phone number — not by Discord or its legal representatives, which is how legitimate breach filings work.
-
The breach allegedly occurred in July 2024, was discovered in August 2025, and the notification timeline listed dates in the 2000s. No notification letter to affected individuals was attached.
-
The AG's office confirmed that breach filings are posted automatically with no verification before going live, exposing a serious flaw in the system that anyone could exploit to file fraudulent reports.
-
Discord previously confirmed a third-party vendor compromise that exposed ~70,000 users' government-issued ID photos, giving the bogus report just enough plausibility to generate headlines and concern.
A data breach notice filed with the Maine Attorney General's Office claims that more than 10 million individuals may have been affected by a security incident at Discord.
The communication platform, popular among gamers, developers, and online communities worldwide, has been allegedly breached due to "insider wrongdoing" as listed in a filing that went live on the regulator's website on June 8th.
It states that the breach allegedly occurred on July 9th, 2024, and was discovered on August 2nd, 2025. However, the notice provides few technical details and does not include a public copy of any notification letter sent to affected individuals.
According to the filing, the incident involved the exposure of personal information, although the specific data types were not disclosed beyond "name or other personal identifier."
No identity theft protection services were reportedly offered to affected individuals, which is suspicious in itself, given the scale of the alleged data breach.
Bogus report to regulators?
The breach claim raises plenty of questions. Normally, the company itself or its legal representatives have the right to report cyber incident files to regulators. This time, however, the report says it was a person named “Xavier Morrison” providing their personal email address. The listed phone number appears to be fake.
The dates also do not add up, as the breach report states that notifications to affected individuals began in the 2000s. Also, no copy of the notification letter for affected individuals is attached to the filings.
For comparison, Baker & Hostetler LLP submitted this report to the Maine Attorney General in 2023 on behalf of Discord. At the time, 180 individuals were affected.
The scale of the alleged breach is very large. However, it is technically possible, as Discord currently has over 750 million registered accounts globally and approximately 260 million monthly active users.
Breach reports are submitted to the Maine Attorney General via an online breach report form, but does this report reveal that submitted forms are not reviewed before publishing them online?
Cybernews has reached out to Discord and the Maine Attorney General for clarification. Maine Attorney General Office representative responded that the breach notifications come directly from the entity submitting.
"We do not have any independent information and they are posted automatically. We will review it, thank you for flagging this," the spokesperson said.
Discord has had cyber incidents before
Discord has a record of cyber incidents. For example, it previously confirmed a security incident involving one of its external service providers.
In a public statement published on October 9th, 2025, the company said it had discovered unauthorized access involving 5CA, a third-party customer support vendor.
Curious what others think about this story? Contribute your thoughts to the debate below.
Discord emphasized that the incident was not a direct breach of Discord systems but rather affected a vendor that handled customer support and Trust & Safety operations.
According to Discord, the breach impacted a limited number of users who had communicated with customer support teams.
The company also reported that it had identified approximately 70,000 users globally whose government-issued ID photos may have been exposed during age-verification appeal reviews.
And in May, the Lapsus$ cybercrime group claimed to have compromised a third-party customer support environment used by Discord.
The allegedly leaked information appeared online. However, according to Cybernews researchers who investigated deeper, the claims were suspicious and likely not legitimate.
Updated on June 11th [5:00 p.m. GMT+2] with a statement from Maine Attorney General’s Office.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked