Hackers infiltrate Discord’s ID checks, and it's bad news — 70,000 users' personal data exposed

What data was exposed — and what wasn’t

From this breach, hackers managed to obtain several types of data, including:

• Government-issued IDs such as passports and driver’s licenses
• Emails, full names, usernames, and contact details
• Limited billing data, payment types used, last four digits of card numbers, and purchase history
• IP addresses, customer support messages, and internal training documentation

Fortunately for users, full credit card numbers, CVV codes, passwords, and private messages were not compromised.

Hackers initially claimed to have obtained over one million IDs, but Discord refuted this, confirming that around 70,000 IDs were stolen.

While that number is still significant, the incident raises larger concerns about the growing use of mandatory age verification systems. In the UK, for instance, such checks are now required across many websites.

Personally, I find this approach troubling — it risks pushing younger users toward unsafe sites that don’t require ID, or encouraging the use of VPNs to bypass restrictions.

Hackers’ ransom demands and Discord’s response

Hackers demanded a ransom from Discord, initially asking for $5 million before lowering it to $3.5 million. Discord refused to pay, with negotiations reportedly taking place between September 25 and October 2, 2025.

In a statement, the company said, “We will not reward those responsible for their illegal actions.” Since then, Discord has revoked 5CA’s access, launched an internal investigation, and notified the relevant authorities.

If your data was affected, Discord has sent an email notification to impacted users. These messages come from noreply@discord.com, so it’s worth checking your inbox if you’ve submitted ID verification details.

Why this breach matters for age verification laws

Unfortunately, this kind of situation could become the norm as more countries, including the UK, now require users to verify their ages under new online safety laws. In the UK, the Online Safety Act came into full effect in July 2025, making age verification mandatory across many platforms.

In this case, Discord’s age verification appeals system was the specific target. Users flagged as underage were asked to submit government ID photos to confirm their age. These manual submissions were handled by 5CA, a third-party vendor, not Discord itself.

That distinction doesn’t make it less concerning. Privacy remains one of the main reasons people oppose mandatory ID checks. Personally, I don’t mind sharing my ID when it’s my choice — but being forced to hand it over feels wrong. For UK users like me, that lack of choice leaves a sour taste.

As far as I’m aware, this is the first major attack tied directly to age verification infrastructure, and it comes just months after such systems were introduced. It’s a worrying start to what could become a global problem. We were lucky that payment information wasn’t compromised this time, but it raises a serious question — how long until that happens? Even without it, the idea that hackers now possess thousands of government-issued IDs and IP addresses is deeply unsettling.

As of October 10, 2025, Discord is still working with law enforcement. So far, the stolen data has not been released publicly, though the hackers have threatened to publish it if their demands aren’t met.

I think I’ve made my stance on our online safety–driven future clear, but I’d be interested to know how others feel and if opinions have changed from our last poll on the topic. Is this trade-off worth it? Privacy may be becoming a thing of the past, but in theory, it’s meant to offer better protection for users online. For now, it remains to be seen whether companies — including Discord — can truly keep that data secure.

Follow Windows Central on Google News to keep our latest news, insights, and features at the top of your feeds!