Hackers stole partial payment information and personally identifying data associated with some Discord users after compromising a third-party customer service provider.
The attack occurred on September 20 and affected “a limited number of users” who interacted with Discord’s customer support and/or Trust and Safety teams.
Discord was created as a communication platform for gamers, who represent more than 90% of the userbase, but expanded to various other communities, allowing text messages, voice chats, and video calls.
According to the platform’s statistics, more than 200 million people are using Discord every month.
Hackers demanded a ransom
In the notification to affected users, the messaging company says that the attack occurred on September 20 and “an unauthorized party gained limited access to a third-party customer service system used by Discord.”
On Friday, Discord disclosed the incident publicly, saying that it took immediate action to isolate the support provider from its ticketing system and started an investigation.
This included revoking the customer support provider’s access to our ticketing system, launching an internal investigation, engaging a leading computer forensics firm to support our investigation and remediation efforts, and engaging law enforcement - Discord
The attack appears to be financially motivated, as the hackers demanded a ransom from Discord in exchange for not leaking the stolen information.
Exposed data includes personally identifying information such as real names and usernames, email addresses, and other contact details provided to the support team.
The social communication service says IP addresses, messages and attachments sent to customer service agents were also compromised.
The hackers also accessed photos of government-issued identification documents (driver’s license, passport) for a small number of users.
Partial billing info, like payment type, the last four credit card digits, and purchase history associated with the compromised account, were exposed as well.
Discord's data breach notification to affected users
source: VX-Underground
VX-Underground security group notes that the type of data stolen from Discord users represents “literally peoples [sic] entire identity.”
Alon Gal, Chief Technology Officer at threat intelligence company Hudson Rock, believes that if the hackers release the Discord data, it could provide crucial information to help uncover or solve crypto hacks and scams.
“I’ll just say that if it leaks, this db is going to be huge for solving crypto related hacks and scams because scammers don’t often remember using a burner email and VPN and almost all of them are on Discord,” says Alon Gal, Chief Technology Officer at Hudson Rock
Currently, it is unclear how many Discord users are affected, and the name of the third-party provider or the access vector has not been disclosed publicly.
However, the Scattered Lapsus$ Hunters (SLH) threat group claimed the attack saying that they breached a Zendesk instance used by Discord for customer support.
An image the hackers posted online shows a Kolide access control list for Discord employees with access to the admin console. Kolide is a device trust solution that connects to Okta cloud-based Identity and Access Management (IAM) service for multi-factor authentication.
SLH confirmed to BleepingComputer that it was a Zendesk breach that allowed them to steal the Discord user data.
BleepingComputer contacted Discord with a request for more details about the attack, but a comment from the social communications platform was not immediately available.
It is worth noting that hundreds of companies had their Salesforce instances compromised after the ShinyHunters extortion group accessed them using stolen Salesloft Drift OAuth tokens.
Last month, the hackers claimed to have stolen more than 1.5 billion Salesforce records from 760 companies.
More recently, ShinyHunters launched a data leak site listing more than three dozen victims.