CRW

Home Wiki

Discord / 5CA Data Breach

View on consumerrights.wiki ↗

Contents3
  1. Background
  2. Incident
  3. References

On 3rd October 2025, Discord published a press release stating that one of their third-party service providers, later revealed to be 5CA, was the target of a data breach. Discord states that they have identified around 70,000 users that may have been impacted by having images of their government ID taken.[1]

Background

In 2023, the UK government passed the Online Safety Act. In 2025, the Online Safety Act was amended to require platforms to verify the age of its users when they try to access content considered harmful to children.[2]

Discord implemented age verification in 2025. A user could verify their age using face scanning or by uploading a picture of their government-issued ID. If the face scan does not correctly determine the user's age as old enough, using their ID becomes the only option to confirm their age.[3]

Incident

Discord stated in a press release that an unauthorized party compromised 5CA, one of the customer service vendors used by Discord, stealing data that was shared by users with their Customer Support. Discord states that they themselves were not breached.

The data involved in the breach was:

  • Name, Discord username, email, and other contact details provided to Discord customer support
  • Limited billing information such as payment type, last four digits of credit card, and purchase history
  • IP addresses
  • Messages with customer service agents
  • Images of users' government IDs

Discord states that around 70,000 users may have had their government ID exposed.[1]

5CA denied that they were hacked, stating that they do not handle government-issued IDs. They admit that the data breach may have involved human error from one of their employees but deny that the breach involved any of their systems or other clients.[4]

BleepingComputer reported to have contacted the hackers involved in the data breach. The alleged hackers claimed that they were able to access the data via Zendesk and collected around 1.6TB of data concerning around 5.5 million users. They claim that Discord understated the amount of users who had their government ID exposed as they found around 521,000 tickets relating to age verification. BleepingComputer could not verify the hackers' claims.[5]

References

  1. 1.0 1.1 "Update on a Security Incident Involving Third-Party Customer Service". Discord. 2025-10-03. Archived from the original on 20 Dec 2025. Retrieved 2025-10-13.
  2. "Online Safety Act: explainer". Gov.uk. April 24, 2025. Archived from the original on 12 Feb 2026.
  3. Rahman-Jones1 Vallance2, Imran1 Chris2 (2025-04-17). "Discord's face scanning age checks 'start of a bigger shift'". BBC. Archived from the original on 2025-12-30. Retrieved 2026-01-10.{{cite web}}: CS1 maint: numeric names: authors list (link)
  4. "Holding Statement Regarding Security Incident". 5CA. 14 October 2025. Archived from the original on 2025-12-19. Retrieved 2026-01-10.
  5. Abrams, Lawrence (2025-10-08). "Hackers claim Discord breach exposed data of 5.5 million users". BleepingComputer. Archived from the original on 2025-12-06. Retrieved 2026-01-10.
Filed under