Discord has announced a security incident involving its third-party customer service vendor, 5CA, which may have exposed 70,000 government ID photos. The vendor, 5CA, has since issued a statement denying its systems were breached, creating a conflicting account of the event.
According to the chat platform, the incident affected a specific group of users. Discord stated, “this incident impacted a limited number of users who had communicated with our Customer Support or Trust & Safety teams.” Within this group, the company identified that “approximately 70,000 users that may have had government-ID photos exposed.” These identification documents were used by the vendor for the purpose of reviewing age-related appeals submitted by users. Discord emphasized that the event was not a direct compromise of its own infrastructure, stating, “this was not a breach of Discord, but rather a breach of a third-party service provider, 5CA, that we used to support our customer service efforts.”
In response to Discord’s announcement, 5CA posted a formal statement on its website presenting a different account of the incident. The customer support company declared it was “not hacked.” The statement specified, “Contrary to these reports, we can confirm that none of 5CA’s systems were involved, and 5CA has not handled any government-issued IDs for this client.” 5CA affirmed the integrity of its infrastructure, adding, “All our platforms and systems remain secure, and client data continues to be protected under strict data protection and security controls.”
5CA detailed that it is conducting an ongoing forensic investigation into the matter. This process involves close collaboration with its client, which is Discord, as well as with external advisors. The company has engaged cybersecurity experts and ethical hackers to assist in the inquiry. The statement noted that based on interim findings from this investigation, “we can confirm that the incident occurred outside of our systems.” The company also reported that there is currently “no evidence of any impact on other 5CA clients, systems, or data” as a result of the reported incident.
The vendor has offered a potential explanation for the data exposure while its investigation continues.
We are aware of media reports naming 5CA as the cause of a data breach involving one of our clients. Contrary to these reports, we can confirm that none of 5CA’s systems were involved, and 5CA has not handled any government-issued IDs for this client. All our platforms and systems remain secure, and client data continues to be protected under strict data protection and security controls.
We are conducting an ongoing forensic investigation into the matter and collaborating closely with our client, as well as external advisors, including cybersecurity experts and ethical hackers. Based on interim findings, we can confirm that the incident occurred outside of our systems and that 5CA was not hacked. There is no evidence of any impact on other 5CA clients, systems, or data. Access controls, encryption, and monitoring systems are fully operational and, as a precautionary measure, are under heightened review.
Our preliminary information suggests the incident may have resulted from human error, the extent of which is still under investigation. We remain in close contact with all relevant parties and will share verified findings once confirmed.
-5CA
Following the conflicting statements from the two companies, several key questions remain unanswered. 5CA has been asked to confirm whether its operations involved handling the government ID photos in question and to provide more specific information about the “human error” it referenced as a possible cause. Concurrently, Discord has been asked to confirm which company was in possession of the government ID photos that may have been accessed during the security incident.
