On October 3, 2025, Discord disclosed a data breach affecting approximately 70,000 users whose government-issued ID photos were exposed. The breach stemmed from a compromise of a third-party customer support platform, Zendesk, which Discord uses for age verification and customer support. Hackers accessed and exfiltrated sensitive data, including over 2 million photos of government IDs, user names, Discord usernames, email addresses, billing information, IP addresses, and messages exchanged with support teams. The attackers provided proof of the breach to security researchers and are actively attempting to extort Discord by threatening to release the stolen data publicly. Discord attributes the breach to a malicious campaign targeting Zendesk's software suite but states Zendesk's platform itself was not compromised. This incident follows a similar breach in 2023 involving a third-party support agent's ticket queue. The breach underscores the risks of third-party data handling, especially for sensitive identity verification data. The attackers' ability to access extensive personal and corporate data raises concerns about identity theft, phishing, and targeted extortion. The breach also highlights the need for robust vendor security assessments and incident response plans involving third-party services.

For European organizations, the breach poses significant privacy and security risks, especially for users who provided government-issued IDs for age verification or other purposes. Exposure of such sensitive personal data can lead to identity theft, fraud, and targeted phishing attacks. Organizations relying on Discord for communication or customer engagement may face reputational damage and legal liabilities under the GDPR due to inadequate protection of personal data. The breach also raises concerns about the security of third-party service providers, which are commonly used across industries in Europe. If attackers release the stolen data, it could facilitate large-scale identity fraud and social engineering campaigns targeting European users. Additionally, the incident may prompt regulatory scrutiny and enforcement actions against organizations that fail to ensure third-party compliance with data protection standards. The breach highlights the critical need for European entities to evaluate their third-party risk management and data protection strategies to prevent similar incidents.

European organizations should implement comprehensive third-party risk management programs that include rigorous security assessments and continuous monitoring of vendors handling sensitive data. Specifically, organizations using Discord or similar platforms should: 1) Limit the amount of sensitive data shared with third-party services and ensure data minimization principles are applied. 2) Enforce strict access controls and encryption for data stored or processed by third parties. 3) Require contractual obligations for vendors to comply with GDPR and cybersecurity best practices, including incident notification requirements. 4) Monitor for signs of extortion or data leakage related to third-party breaches and establish rapid incident response protocols. 5) Educate users about the risks of identity theft and phishing stemming from such breaches. 6) Regularly audit and review third-party security posture, including penetration testing and compliance checks. 7) Consider alternative solutions or in-house capabilities for sensitive identity verification processes to reduce reliance on external vendors. 8) Collaborate with law enforcement and cybersecurity communities to share threat intelligence related to extortion attempts and data misuse.