Discord has confirmed a significant security breach of its third-party customer service platform.
That platform was Zendesk, according to security researchers, cited by Cyber Kendra.
The breach follows a spate of breaches across many competitive CRM and helpdesk systems, with social engineering still the most common means of poaching customer information. Yet, many other types of attack are emerging.
In a blog post divulging the attack, Discord shared more details. It noted:
The unauthorized party… gained access to information from a limited number of users who had contacted Discord through our Customer Support and/or Trust & Safety teams.
Discord also suggested the attackers were targeting their third-party customer support servers to “extort a financial ransom from Discord”.
In an email to the affected users, Discord notified its users that personal information was released in the attack, including:
- Name, Discord username, email and other contact details if provided to Discord customer support
- Limited billing information such as payment type, the last four digits of your credit card, and purchase history if associated with your account
- IP addresses
- Messages with our customer service agents
- Limited corporate data (training materials, internal presentations)
A small number of government-issued ID images were also swept up in the process, increasing the danger of identity theft.
However, Discord has emphasized that data such as full credit card numbers or CCV codes, messages beyond discussions with customer support, or passwords were not involved in the cyberattacks.
Additionally, the company says it has notified the relevant data protection authorities and is proactively working with law enforcement to investigate the attacks, reviewing its threat detection and security systems, as well as continuing to audit its third-party systems.
Discord has also warned the affected users to be aware of any suspicious messages or communications, deploying more service agents to handle any additional support or queries.
Across social media, many industry commentators have weighed in on the breach.
One account on LinkedIn said, “When [a] data breach happens, it will be your company name on the news headlines… not the name of the third-party provider.”
Another said, “We can no longer afford a reactive approach to cybersecurity.”
Meanwhile, Baker Johnson, Chief Business Officer at UJET, told CX Today: “This isn’t just a data breach; it’s a fundamental break in the customer relationship. When a customer reaches out for help, it’s a relational moment.
A security failure like this turns that moment of trust into a broken, dangerous transaction.
More Attacks on CRM Systems
The Discord attack is the latest in a long line of data breaches on CRM systems.
In September, Salesforce made headlines after the FBI released an alert warning the public of cybercriminal attacks on Salesforce’s platforms, following a string of its customers’ announcements of data breaches and stolen information.
Earlier in the month, SalesLoft’s Drift Bot was also temporarily shut down due to an issue that allowed attackers to backdoor their way into Salesforce records.
Meanwhile, only last week, the luxury department store, Harrods, released a statement confirming almost half a million customer records were affected by an attack on an unnamed third-party customer service software provider.
