CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Discord User Data Compromised in Third-Party Breach

First reported
Last updated
2 unique sources, 4 articles

Summary

Hide ▲

Hackers claim to have stolen data from 5.5 million unique Discord users after compromising a third-party customer service provider. The attack occurred on September 20, 2025, affecting users who interacted with Discord’s customer support and/or Trust and Safety teams. The breach appears to be financially motivated, with hackers demanding a ransom. The Scattered Lapsus$ Hunters (SLH) threat group claimed responsibility for the attack, stating they breached a Zendesk instance used by Discord for customer support. The compromised data includes real names, usernames, email addresses, contact details, IP addresses, messages, attachments, photos of government-issued identification documents, partial billing information, and purchase history. Discord took immediate action to isolate the support provider from its ticketing system and launched an investigation with the help of a forensics firm and law enforcement. The hackers also accessed corporate data, including training materials and internal presentations. Discord has notified law enforcement and relevant data protection authorities about the incident. No full credit card numbers, CVV codes, passwords, or authentication data were compromised. Additionally, no messages or activity on Discord outside of communication with customer support were obtained by the attackers.

Timeline

  1. 09.10.2025 03:22 1 articles · 6d ago

    Hackers demand ransom and threaten data leak

    The hackers demand $3.5 million in ransom, threatening to leak the data publicly if the demand is not met. Discord confirms they will not pay the ransom demand.

    Show sources
    Open in new tab
  2. 04.10.2025 14:16 4 articles · 11d ago

    Third-party breach exposes Discord user data

    The hackers claim to have stolen data from 5.5 million unique users. Discord disputes these claims, stating that approximately 70,000 users had their government ID photos exposed. The hackers demand $3.5 million in ransom, threatening to leak the data publicly if the demand is not met. Discord confirms they will not pay the ransom demand. The hackers allege they stole 1.6 TB of data, including 1.5 TB of ticket attachments and over 100 GB of ticket transcripts. The breach affected 8.4 million tickets, with 580,000 users containing some sort of payment information and approximately 521,000 age-verification tickets.

    Show sources
    Open in new tab
  3. 04.10.2025 14:16 2 articles · 11d ago

    Scattered Lapsus$ Hunters claim responsibility for the breach

    The hackers claim to have accessed Discord’s Zendesk instance for 58 hours beginning on September 20, 2025, through a compromised account belonging to a support agent employed through an outsourced BPO provider.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

F5 BIG-IP Source Code and Vulnerability Information Stolen in Cyberattack

F5 disclosed a cyberattack in early August 2025 where suspected nation-state hackers breached its systems and stole undisclosed BIG-IP security vulnerabilities and source code. The breach was detected on August 9, 2025, and the attackers had long-term access to F5's BIG-IP product development environment and engineering knowledge management platform. The stolen information includes source code, vulnerability details, and some configuration and implementation information for a limited number of customers. F5 has not found evidence that the stolen information has been used in actual attacks or disclosed publicly. The company has validated the safety of BIG-IP releases through multiple independent reviews by leading cybersecurity firms. F5's BIG-IP is a critical product used in application delivery networking and traffic management by many large enterprises. The company has 23,000 customers in 170 countries, including 48 of the Fortune 50 entities.

Open in new tab

Renault and Dacia UK Customers Affected by Third-Party Data Breach

Renault and Dacia UK customers have been notified of a data breach affecting personal information shared with a third-party provider. The breach exposed full names, gender, phone numbers, email addresses, postal addresses, vehicle identification numbers, and vehicle registration numbers. The third-party provider has isolated the incident and removed the threat from its networks. The affected customers are advised to be vigilant against potential phishing and social engineering attacks. The number of impacted customers and the identity of the third-party provider have not been disclosed. The breach follows a significant cyberattack at Jaguar Land Rover in the UK, which disrupted operations for nearly a month, and is part of a string of breaches in the transport sector, impacting JLR, Collins Aerospace, and LNER.

Open in new tab

Crimson Collective targets Red Hat and AWS cloud environments for data theft

The Crimson Collective has been targeting AWS cloud environments to steal data and extort companies, including Red Hat. The group claims to have breached Red Hat's private GitLab repositories, stealing nearly 570GB of data across 28,000 internal projects. The stolen data allegedly includes 800 Customer Engagement Reports (CERs), which contain sensitive information about customer networks and platforms. The breach occurred approximately two weeks prior to the announcement. The hackers claim to have accessed downstream customer infrastructure using authentication tokens and other private information found in the stolen data. The affected organizations span various sectors, including finance, healthcare, government, and telecommunications. Red Hat has initiated remediation steps and stated that the security issue does not impact its other services or products. The hackers published a complete directory listing of the allegedly stolen GitLab repositories and a list of CERs from 2020 through 2025 on Telegram. The Centre for Cybersecurity Belgium (CCB) has issued an advisory stating there is a high risk to Belgian organizations that use Red Hat Consulting services. The CCB also warns of potential supply chain impact if service providers or IT partners worked with Red Hat Consulting. The CCB advises organizations to rotate all tokens, keys, and credentials shared with Red Hat or used in any Red Hat integrations, and to contact third-party IT providers to assess potential exposure. The ShinyHunters gang has now joined the extortion attempts against Red Hat, partnering with the Crimson Collective. ShinyHunters has released samples of stolen CERs on their data leak site and has set an October 10th deadline for Red Hat to negotiate a ransom demand to prevent the public leak of stolen data. The breach is part of a series of supply chain threats involving compromised code repositories. In May 2024, threat actors exploited a critical vulnerability (CVE-2023-7028) to take over GitLab accounts. GitLab disclosed and patched two similar vulnerabilities (CVE-2024-5655 and CVE-2024-6385) that jeopardized customers' CI/CD pipelines.

Open in new tab

Clop extortion campaign targets Oracle E-Business Suite

The Clop ransomware gang has been exploiting multiple vulnerabilities in Oracle E-Business Suite since at least August 2025, including the zero-day vulnerability CVE-2025-61882. The gang has been sending extortion emails to executives at multiple organizations, claiming to have stolen sensitive data. The campaign involves a high-volume email blast from hundreds of compromised accounts, some previously linked to the FIN11 threat group. The emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site. CrowdStrike attributes the exploitation of CVE-2025-61882 to the Cl0p ransomware gang with moderate confidence, and the first known exploitation occurred on August 9, 2025. The exploit involves an HTTP request to /OA_HTML/SyncServlet, resulting in an authentication bypass. Oracle has released an emergency patch for the zero-day vulnerability and shared indicators of compromise. The exploit was leaked by a group called Scattered Lapsus$ Hunters, raising questions about their potential collaboration with Clop. Oracle has confirmed that known vulnerabilities in its E-Business Suite, patched in July 2025, may have been exploited in these attacks. The July 2025 Critical Patch Update addressed 309 vulnerabilities across Oracle's product range, including nine for E-Business Suite. Three of these vulnerabilities are critical and three others are exploitable remotely without authentication. The extortion emails are part of a broader campaign, with the attackers sending messages from compromised accounts, some previously associated with the FIN11 threat group. The emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site. Mandiant and GTIG are investigating the claims and recommend that organizations receiving these emails investigate their environments for unusual access or compromise in their Oracle E-Business Suite platforms. The UK’s National Cyber Security Centre (NCSC) has advised Oracle EBS customers to patch the critical vulnerability CVE-2025-61882, which is being exploited by the Clop ransomware group. The NCSC has urged customers to apply an emergency security update from Oracle, published over the weekend, to address the zero-day vulnerability CVE-2025-61882. The vulnerability impacts Oracle EBS versions 12.2.3-12.2.14 and allows unauthenticated attackers to send specially crafted HTTP requests to the affected component, resulting in full system compromise. The NCSC has warned that the Scattered Lapsus$ Hunters group has leaked the exploit used by the Clop gang, increasing the risk of opportunistic attacks on Oracle customers. Rapid7 has advised customers of affected Oracle EBS instances to conduct threat hunting to detect any potential malicious activity, given that exploitation in-the-wild may have occurred since August 2025. CISA has added CVE-2025-61882 to the Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by October 27, 2025. WatchTowr Labs warns of potential mass, indiscriminate exploitation from multiple groups within days. Harvard University is the first confirmed victim of the recent cybercrime campaign targeting customers of Oracle’s E-Business Suite (EBS) solution. The hackers have made available over 1.3 TB of archive files that allegedly contain Harvard data. The organization believes the incident impacts a limited number of parties associated with a small administrative unit. The vulnerability exploited by the hackers has been patched and there is no evidence of other systems being compromised. Google’s Threat Intelligence Group (GTIG) and Mandiant believe dozens of organizations have been targeted. The cybercriminals behind the Oracle EBS campaign sent out extortion emails to executives at the targeted organizations on behalf of the Cl0p ransomware group, likely due to the reputation it has built after conducting similar campaigns in the past. Those campaigns targeted customers of Cleo, MOVEit, Fortra and Accellion file transfer products. The attacks targeting Oracle EBS customers appear to have involved the exploitation of known and zero-day vulnerabilities, as well as the deployment of sophisticated malware. CrowdStrike reported that exploitation of the software flaws appears to have started on August 9, but Google has seen some indication that the attacks may have begun as early as July 10.

Open in new tab

WestJet data breach impacts 1.2 million customers

WestJet, a major Canadian airline, has confirmed that a cyberattack on June 13, 2025, compromised the personal information of 1.2 million customers. The breach involved the theft of travel documents, including passports and ID documents. The attackers gained access to the network through a Citrix system after resetting an employee's password via social engineering. The breach was attributed to threat actors associated with Scattered Spider, although no official attribution has been made. The compromised data includes full names, dates of birth, mailing addresses, travel documents, requested accommodations, filed complaints, WestJet Rewards Member IDs, and details of WestJet RBC Mastercard information. No credit card or debit card numbers, expiry dates, CVV numbers, or user passwords were compromised. The airline is working with the FBI and has offered a free 2-year identity theft protection and monitoring service to affected customers. The breach was first identified on June 13, 2025, and the data breach notification was sent to the Office of the Maine Attorney General on September 29, 2025.

Open in new tab