Discord admits data breach via outsourced support service

Crime group SLH claims responsibility

Popular messaging and voice-calling service Discord has owned up to a data breach via an outsourcing company that handles its customer support.

The company couldn’t resist starting its breach notification with the ironic words, “At Discord, protecting the privacy and security of our users is a top priority,” before admitting that it had nevertheless been the victim of cyberblackmail:

An unauthorized party targeted our third-party customer support services to access user data, with a view to extort a financial ransom from Discord.

According to numerous news reports, the cybercrime gang SLH has claimed responsibility for this attack.

SLH is a sort-of hybrid nickname short for Scattered LAPSUS$ Hunters, an agglomeration of the crime group names Scattered Spider, LAPSUS$, and ShinyHunters, three different sets of partners-in-crime allegedly responsible for numerous ransomware and blackmail incidents in recent years.

Based on arrests over the last few years, members of these crime groups generally seem to be young, typically teenagers, and particularly skilled (if that is an acceptable word to use for a dedication to perpetrating serious crimes) at social engineering.

In social engineering attacks, organizations are breached not through technical tricks such as exploiting software vulnerabilities, but through human manipulation such as convincing support staff to reset other users’ passwords, or to read out secret authentication codes that aren’t supposed to be shared with anyone else.

If you’re a LinkedIn user and you’re not yet following @SolCyber, do so now to keep up with the delightfully useful Amos The Armadillo’s Almanac series. SolCyber’s lovable mascot Amos provides regular, amusing, plain-English cybersecurity explanations, all the way from MiTM and IDS to DDoS and RCE.

Even if you know all the jargon yourself, Amos will help you explain it to colleagues, friends, and family in an unpretentious, unintimidating way.

Despite their apparent youth, these criminals are perfectly willing to put entire companies at risk of collapse, to put workers’ livelihoods in danger, and to steal and sell on personal data of customers and employees alike, all the while demanding vast blackmail payments to “make the problem go away.”

Brand names affected in the past few years by members of these three now-affiliated groups (a collectivization that was likely prompted by the arrests of numerous people from each group) allegedly make up a laundry-list of multinational corporations.

Examples include: cybersecurity company Okta in 2022; event ticketing business Ticketmaster in 2024; global retailer Marks & Spencer in early 2025; and Indian-owned automotive maker Jaguar Land Rover (JLR) at the end of August 2025.

The side-effects of the attack on JLR are still being felt at the time of writing, several weeks later.

Some vehicle production may restart this week, but most production lines are still stalled, with some manufacturing companies upstream in JLR’s supply chain staring at financial ruin as their own production and sales have stalled as a consequence.

What happened?

Discord notes that the criminals are now in possession of at least the following data from users who have contacted its support team:

• All contact details provided to support staff, typically including at least real name, username, and email address.
• Billing details, including purchase history and the last four digits of payment card numbers. (Actual payment processing is done elsewhere, so full card details were apparently not stolen.)
• IP addresses of users.
• Messages and attachments exchanged with support staff during calls.

Crucially, customers who contacted the support team to prove their identity will have shared scans of ID documents such as passports and driving licenses, and those scans are now in the hands of the criminals.

Users whose identities were automatically approved via Discord’s online verification system are probably OK: like the above-mentioned payment card data, those ID scans are apparently processed and stored elsewhere.

Fortunately, only support-related messages were accessed in the attack, so that chats, calls and messages sent via Discord itself to other users and groups were not affected.

Annoyingly, perhaps, Discord says that the only way that victims will find out that their data was stolen is if they receive an email from noreply@discord.com.

In other words, the “top priority” that the company claims to assign to its customers’ privacy and security doesn’t extend to personalized support for worried victims now that a breach has happened.

An automated email that can’t be replied to is apparently all that the company’s users can expect.

(To be fair, the upside of this impersonal response, as Discord itself points out, is that any phone call you receive that references the Discord breach is the work of a charlatan or a fraudster.)

What to do?

• Practice what you will say if you suffer a breach yourself. Discord seems to have provided a useful list of what may have been stolen, together with a list of data that it feels sure was not breached, which includes full card data, passwords or authentication tokens, and chats and messages with anyone other than support. You might want to decide in advance, however, not to lead off with tired platitudes such as “we take your security seriously” or “your security is our top priority” when the breach you are reporting gives the lie to these claims.
• If your data is affected in a breach of this sort, consider carefully how much personal information you may have lost. Be particularly cautious of follow-up messages that claim to be official attempts to help you to “recover” from the effects of any cyberattack, because these connections are likely to be initiated either by the criminals who launched the attack in the first place, or by other crime groups to whom the stolen data was sold on.
• Whenever you need to contact a company you do business with, whether in the aftermath of a breach or just in everyday life, initiate the contact yourself. Use contact details from a source you can trust, such as the phone number printed on the back of your payment card, or the email address listed on the original documents you received when you signed up for an account. Never trust contact details provided in a phone call, text message or email that could have come from anyone.
• Get help if you need it. Stay on top of cyberthreats without distracting staff from your core business. Sign up with SolCyber to do it for you, human style!

Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!

More About Duck

Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!