Discord is a communication platform used by hundreds of millions worldwide, originally built for gamers but now serving communities, businesses, and classrooms alike. At its core, it blends chat, voice, and community-driven spaces into one of the internet’s largest social platforms.
With this scale comes pressure from regulators to enforce mandatory age verification, ensuring minors are not exposed to harmful content. While well-intentioned, these requirements often push platforms into storing sensitive government IDs, a decision that turns them into honeypots for cybercriminals.
In the September 2025 incident (disclosed on the 3rd of October), attackers gained access to a third-party customer service system used by Discord. This intrusion exposed user names, email addresses, Discord usernames, IP addresses, limited payment details such as the last four digits of credit cards, and in some cases government-issued IDs submitted for account appeals. While full credit card numbers and account passwords were not compromised, the presence of scanned IDs made this breach particularly severe for a subset of users.
The breach did not hit Discord’s core infrastructure but rather a third-party helpdesk provider. Customer service platforms hold more than just bug reports; they contain the raw, unfiltered details of user interactions. Emails, IP addresses, payment fragments, scanned IDs, and private attachments flow into these systems every day.
This is why attackers systematically go after helpdesks: we have seen it before with Okta, Salesforce, Zendesk, and others. These systems become the perfect one-stop-shop for identity theft and social engineering. Sensitive data sent to support teams often remains in databases far longer than necessary. Best practice dictates that such data should be sanitized, minimized, and ephemeral, never stored indefinitely, and certainly not in ways that expose entire identities.
The irony is striking: age verification mandates are meant to protect, yet they amplify risk by forcing platforms to collect and retain sensitive IDs. A potential alternative lies in digital identity systems (E-IDs), where users can prove they meet criteria such as age without revealing their full identity. Until such solutions are adopted, every new regulation that requires government ID uploads creates an ever-growing pool of targets for attackers.
