On September 20, 2025, an unauthorized party breached a third-party customer support system used by Discord. The attacker gained access to support tickets, attachments, and associated metadata, not by breaching Discord’s own servers but by exploiting the vendor, currently reported to be Zendesk according to multiple news outlets. It is important to note that this was not a flaw in Zendesk’s own security infrastructure but appears to have resulted from social engineering against individuals using the Zendesk environment. Discord publicly disclosed the incident on October 3, describing it as a limited breach affecting users who had interacted with Customer Support and Trust & Safety.
Discord stated that the attacker accessed a vendor’s ticketing environment and was able to view or exfiltrate support data for a subset of users. The company confirmed that names, Discord usernames, email addresses, and other contact details were affected, along with messages exchanged with support agents and any attachments users submitted. Some IP addresses tied to support sessions were also included. A small number of government-issued ID images, such as drivers’ licenses or passports, were exposed for users who had submitted them during verification or appeals. Discord also noted that limited internal corporate material, including training documents, may have been accessed.
The company emphasized that passwords, authentication tokens, direct messages, and full credit card data were not compromised. However, even limited support data can contain personal information valuable to attackers, and the inclusion of ID images makes this breach particularly sensitive.
Conflicting Claims and Unverified Details
A group calling itself Scattered Lapsus$ Hunters (SLH) claimed responsibility for the breach. The name references elements of earlier threat groups, including Lapsus$, Scattered Spider, and ShinyHunters, suggesting a hybrid identity or shared membership. SLH has also been linked to similar attacks involving Salesforce and other large SaaS ecosystems. Their operations often rely on compromised OAuth tokens or support-agent credentials rather than direct exploitation of core systems.
In this case, SLH claimed to have accessed Discord’s vendor environment for roughly 58 hours, exfiltrating around 1.5 terabytes of data. They alleged the theft of millions of user tickets and government ID images, publishing screenshots of support tools and access control lists as proof. Discord disputes these numbers and characterizes the attackers’ claims as exaggerated and part of an extortion campaign. The company maintains that approximately 70,000 users were affected and that the breach was contained after vendor access was revoked.
Early indicators suggest the attacker used a compromised support-agent account or hijacked a live session within the vendor’s system. From there, they were able to navigate ticket queues and attachments until detection and removal. This type of compromise is consistent with the group’s previous activity, which tends to focus on social engineering, stolen credentials, and third-party integrations.
Lessons for Organizations and Vendors
This incident demonstrates how service desks and their tooling are targets.. The attacker did not need to compromise Discord’s core infrastructure to reach highly sensitive data. By targeting a connected support vendor, they bypassed traditional perimeter defenses and gained access to a system containing identity information, ID documents, and communications between users and staff.
Support environments are often rich with personal data, such as names, addresses, screenshots, and password-reset requests, making them prime targets. When help desks are built on platforms like Zendesk or ServiceNow, attackers know that compromising a single set of credentials can open years of archived tickets. The risk is amplified when support agents collect or store government IDs or other sensitive material for verification purposes.
Incidents like this underline the need for identity verification, segmentation, and strict data retention controls inside support workflows. Organizations should ensure that vendors follow the same authentication and access policies enforced internally. More importantly, they should minimize what data persists after a support issue is resolved.
At Traceless, we have long warned that help desks and third-party systems represent one of the largest unguarded surfaces in modern cybersecurity. Because Traceless integrates directly with platforms like Zendesk, ServiceNow, and ConnectWise Manage, identity verification and ephemeral data sharing can occur within existing workflows without leaving permanent records. Passwords, API keys, and ID files can be exchanged as one-time-use links that automatically expire after retrieval.
If ephemeral and identity-verified exchanges had been used in Discord’s vendor system, the attackers would have found little of value to extract. No lingering attachments, no long-lived credentials, and no personal documents stored beyond their useful life. The point is not that Discord or Zendesk failed; it is that this pattern is systemic. Every organization using a vendor-based support model now faces the same exposure, which means every organization needs to be implementing a solution like Traceless.
This breach is a reminder that trust itself is an attack surface. Reducing that surface begins with verifying who is on the other end and ensuring that sensitive data disappears when it is no longer needed.
The most effective time to strengthen your defenses is before an incident occurs. Book a demo to see how Traceless can be implemented in under 10 minutes. All plans are month-to-month, with no long-term commitment.