Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
At least 70,000 government IDs used for age assurance were exposed in a third-party support breach impacting Discord users around the world.
What started as just “a small number of government ID images” compromised in a recent third-party data breach impacting Discord users has now ballooned out to some 70,000 passports and driver’s licenses breached by a threat actor that may be linked to the Crimson Collective, a group with ties to Scattered Lapsus$ Hunters.
“This incident impacted a limited number of users who had communicated with our Customer Support or Trust & Safety teams,” Discord said in an 8 October update to its breach disclosure.
“Of the accounts impacted globally, we have identified approximately 70,000 users that may have had government ID photos exposed, which our vendor used to review age-related appeals.”
However, multiple other analysts and observers have said that 70,000 may be just the tip of the iceberg.
Malware researcher vx-underground said in an 8 October post to X that they believed the number to be far higher, while also saying that it was the company’s Zendesk instance that was targeted.
“Discord is being extorted by the people who compromised their Zendesk instance,” vx-underground said.
“They’ve got 1.5TB of age verification-related photos. 2,185,151 photos.
“tl;dr 2.1m Discord users’ driver’s license and/or passport might be leaked. Unknown number of e-mails.”
Speaking to cyber security media outlet BleepingComputer, Discord has denied these claims, saying that it’s merely an attempt by the hacker to apply pressure to the company.
“... the numbers being shared are incorrect and part of an attempt to extort a payment from Discord,” Discord said, before reiterating its updated figure of 70,000 IDs being affected.
The hackers, however, told BleepingComputer they have 1.6 terabytes of data from the Zendesk compromise, including 1.5 terabytes of support ticket attachments, and more than 100 gigabytes of transcripts.
“The hackers say this consisted of roughly 8.4 million tickets affecting 5.5 million unique users, and that about 580,000 users contained some sort of payment information,” BleepingComputer said.
“The threat actors themselves acknowledged to BleepingComputer that they are unsure how many government IDs were stolen, but they believe it is more than 70,000, as they say there were approximately 521,000 age-verification tickets.”
The identity of the hackers remains largely unknown, but a group known as the Crimson Collective, which appears to have some overlap with members of Scattered Lapsus$ Hunters, could be linked to the incident.
“The ongoing situation with the Discord Zendesk threat actor, who continues to leak sensitive data and escalate their actions by releasing additional samples daily, serves as a stark warning to corporations. Ignoring individuals who offer an opportunity for resolution is a grave misstep,” Crimson Collective said in a post to its Telegram channel on 9 October.
“Discord’s failure to address these concerns has backfired, fueling discontent among its user base. Their poorly implemented age compliance policies, including arbitrary ID verification demands, coupled with deplorable management practices, have provoked a justified backlash. This should be a lesson in the consequences of neglecting accountability and transparency.
“Don’t be the next headline, just pay and go to sleep.”
“Do not be the next headline” is a phrase heavily used throughout Scattered Lapsus$ Hunters’ darknet leak site.
Speaking to the overlap between this group and the Crimson Collective, Christiaan Beek, senior director of threat analytics at Rapid7, told Cyber Daily that it all leads back to a broader hacking collective.
“Members of these ‘groups’ originate from the same English-language cyber criminal community, ‘the Com,’ which is active across numerous Telegram and Discord servers. The interaction between these three groups occurs because their members operate within and across them,” Beek said.
“We believe, however, that the names Lapsus$ and ShinyHunters are being abused as a ‘marketing brand’ rather than representing the original groups in action. This is because Lapsus$ has essentially died since the lead members were taken into custody, and the original ShinyHunters weren’t known for being as loud as is now being demonstrated. These are just the actions of a few leading this, as others hop on and off.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
