Discord Service Provider Refuses To Be Blamed For Hacking And Data Theft

In early October, Discord revealed that "Security Incident" occurred which affected about 70,000 users. After an initial notification was published on October 3, Discord then updated the page, and directed the hack error to one of its service providers.

The edited release stated that it was a "violation" of a third-party service provider named 5CA, which Discord said was used in their customer support system.

On October 14, 5CA Systems responded to the claims. Citing reports that 5CA was the cause of the breach, the company insisted that their system was not involved.

5CA also said that they had never handled the ID issued by the government for Discord itself. The breach reportedly involved a leak of tens of thousands of passport photos and driving licenses, which were used for age verification.

5CA melanjutkan dengan mengatakan bahwa sistem mereka masih aman, data klien terus dilindungi, dan bahwa mereka sedang melakukan investigasi sendiri serta bekerja sama dengan Discord dan para ahli keamanan siber dalam masalah ini.

Temporary findings seem to reveal that the incident occurred outside the 5CA system and that the company was not hacked, their claims. However, 5CA believes the incident could have been caused by "human error", but does not specify what it really meant.

Disposal Of Each Other's Responsibility Publicly

Changes in Discord press releases and notifications from 5CA are doing nothing to fix the situation immediately, but it is more of an attempt by these companies to control the narrative. Or at least, trying to divert errors over sensitive topics such as security or privacy breaches in other directions.

Discord initially said in its disclosure that it was caused by third-party service providers involved in customer care. By directly naming the company, it limits damage to Discord's reputation to more than transfers to unnamed and vague entities.

The public doesn't know if Discord is accurate to its abuse, especially as 5CA denies that they are guilty. The public also doesn't know whether 5CA is acting honestly about their innocence, and no one will know until a trusted third party or law enforcement intervenes and makes their own statements.

This, however, isn't the only change Discord made at its initial notice.

Initially, Discord said the breach affected "limited number of users", without specifying how many were affected. Just a few days later, and after online claims about 2.1 million images on X, the 70,000 figure was added to the notice.

While Discord may have pushed 5CA under the bus, and 5CA returned the favor, it will take some time before the public knows who is truly guilty. Obviously, Discord remains responsible, however.

Sensitive Information

What is known about the breach is that it involves an ID image issued by the government, which is submitted as part of an age-related appeal process. Like many other applications, Discord should try to confirm the age of its users, to protect them from content that is prohibited in accordance with various new laws around the world.

Discord immediately stated that their system was not attacked, and third-party tools used to handle age-related customer service queries were its targets. Messages and activities of Discord users are not included in the breach.

Data taken in the breach, according to Discord, includes:

So far, no one has confessed to the breach, and the data does not appear to have been sold or used elsewhere at this time. However, these details can be used in further hacking and attacks.

Discord said they would contact affected users about the breach, including what data was taken.

Although Discord and a security researcher disagreed with the number of users and images affected, it was a relatively small number compared to Discord's total user base. Discord has about 689 million registered users and 259 million monthly active users.

For other users who are not directly affected by these violations, there's not much they can do about this situation. In some cases, they may experience messages based on the details hackers get from the violation, using information on ID to convince potential victims in trust tricks.

As usual, internet users must continue to maintain good online hygiene, such as questioning the source of communication and ensuring file downloads come from legitimate sources.