Popular messaging and voice-calling service Discord has owned up to a data breach via an outsourcing company that handles its customer support.
The company couldn’t resist starting its breach notification with the ironic words, “At Discord, protecting the privacy and security of our users is a top priority,” before admitting that it had nevertheless been the victim of cyberblackmail:
An unauthorized party targeted our third-party customer support services to access user data, with a view to extort a financial ransom from Discord.
According to numerous news reports, the cybercrime gang SLH has claimed responsibility for this attack.
SLH is a sort-of hybrid nickname short for Scattered LAPSUS$ Hunters, an agglomeration of the crime group names Scattered Spider, LAPSUS$, and ShinyHunters, three different sets of partners-in-crime allegedly responsible for numerous ransomware and blackmail incidents in recent years.
Based on arrests over the last few years, members of these crime groups generally seem to be young, typically teenagers, and particularly skilled (if that is an acceptable word to use for a dedication to perpetrating serious crimes) at social engineering.
In social engineering attacks, organizations are breached not through technical tricks such as exploiting software vulnerabilities, but through human manipulation such as convincing support staff to reset other users’ passwords, or to read out secret authentication codes that aren’t supposed to be shared with anyone else.
If you’re a LinkedIn user and you’re not yet following @SolCyber, do so now to keep up with the delightfully useful Amos The Armadillo’s Almanac series. SolCyber’s lovable mascot Amos provides regular, amusing, plain-English cybersecurity explanations, all the way from MiTM and IDS to DDoS and RCE.
Even if you know all the jargon yourself, Amos will help you explain it to colleagues, friends, and family in an unpretentious, unintimidating way.
Despite their apparent youth, these criminals are perfectly willing to put entire companies at risk of collapse, to put workers’ livelihoods in danger, and to steal and sell on personal data of customers and employees alike, all the while demanding vast blackmail payments to “make the problem go away.”
Brand names affected in the past few years by members of these three now-affiliated groups (a collectivization that was likely prompted by the arrests of numerous people from each group) allegedly make up a laundry-list of multinational corporations.
Examples include: cybersecurity company Okta in 2022; event ticketing business Ticketmaster in 2024; global retailer Marks & Spencer in early 2025; and Indian-owned automotive maker Jaguar Land Rover (JLR) at the end of August 2025.
The side-effects of the attack on JLR are still being felt at the time of writing, several weeks later.
Some vehicle production may restart this week, but most production lines are still stalled, with some manufacturing companies upstream in JLR’s supply chain staring at financial ruin as their own production and sales have stalled as a consequence.
Discord notes that the criminals are now in possession of at least the following data from users who have contacted its support team:
Crucially, customers who contacted the support team to prove their identity will have shared scans of ID documents such as passports and driving licenses, and those scans are now in the hands of the criminals.
Users whose identities were automatically approved via Discord’s online verification system are probably OK: like the above-mentioned payment card data, those ID scans are apparently processed and stored elsewhere.
Fortunately, only support-related messages were accessed in the attack, so that chats, calls and messages sent via Discord itself to other users and groups were not affected.
Annoyingly, perhaps, Discord says that the only way that victims will find out that their data was stolen is if they receive an email from noreply@discord.com.
In other words, the “top priority” that the company claims to assign to its customers’ privacy and security doesn’t extend to personalized support for worried victims now that a breach has happened.
An automated email that can’t be replied to is apparently all that the company’s users can expect.
(To be fair, the upside of this impersonal response, as Discord itself points out, is that any phone call you receive that references the Discord breach is the work of a charlatan or a fraudster.)
Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.