Hackers have obtained information about scores of users on the popular messaging app Discord, putting sensitive data for tens of thousands of people at risk, including images government IDs, names and contact details.
The company announced last week that one of its third-party vendors involved in customer support had been compromised.
Discord said in a statement on Wednesday that hackers breached the vendor, which Discord has not named, as part of a campaign to “extort a financial ransom.”
There are up to 70,000 users that “may have had government-ID photos exposed, which our vendor used to review age-related appeals,” the company added.
In the wake of the breach, Discord has revoked the customer support provider’s access to its ticketing system, launched an internal investigation, engaged a “leading computer forensics firm,” and contacted law enforcement, the company said.
Zendesk, a company involved in customer service for Discord, has said internal investigations showed its own systems were not compromised and that the incident was not related to a vulnerability on its platform.
Hackers claiming to be linked to the breach boasted about the incident on a Telegram channel viewed by 404 Media, a tech news site.
“This is about to get really ugly,” the hackers wrote in the channel.
In these messages, the group claimed to have made off with 1.5 terabytes of data and posted examples including images of people taking selfies with their government IDs, a list of roughly 1,000 email addresses, and details about whether certain users paid for subscriptions on Discord and had multi-factor authentication enabled on their devices.
Discord, which boasts over 200 million monthly users and is popular in the gaming community, has been expanding measures to verify the identities and ages of its users, in the face of regulations such as a U.K. requirement for “robust” age verification.
Officials and critics have previously accused extremists of carrying out recruiting and radicalization efforts on the platform.
There are tradeoffs for online platforms holding sensitive data for age- and ID-verification, critics warn, such as the ability of hackers to access troves of this information.
Data privacy has been a key topic of debate in efforts to regulate the online pornography industry in the U.S., where more than 30 states have some form of age-verification requirement.
