Article illustration 1

A significant dispute has erupted between Discord and one of its key service providers, 5CA, regarding the source of a major data breach disclosed last month. The incident, initially announced by Discord on October 3rd, involved the exposure of government-issued identification documents—such as driver's licenses and passports—submitted by users for age verification. Discord later updated its disclosure, naming customer support partner 5CA as the entity compromised and revealing the "small number" of affected users was actually approximately 70,000 individuals.

However, 5CA has issued a forceful rebuttal, directly contradicting Discord's account. "Contrary to these reports, we can confirm that none of 5CA’s systems were involved, and 5CA has not handled any government-issued IDs for this client," the company stated. "All our platforms and systems remain secure, and client data continues to be protected under strict data protection and security controls... the incident occurred outside of our systems and that 5CA was not hacked."

5CA suggested a preliminary internal investigation pointed towards "human error" as the potential cause but provided no specific details. This claim stands in stark contrast to assertions made by the hackers who took credit for the breach. Speaking to BleepingComputer, the threat actors claimed they gained access to Discord's Zendesk customer support portal for 58 hours on September 20th using compromised login credentials belonging to a support agent employed by a third-party contractor.

Article illustration 2

Caption: NurPhoto via Getty Images

The public disagreement underscores several critical issues facing organizations reliant on third-party vendors:

  1. Incident Attribution Challenges: Determining the precise origin and chain of events in a breach, especially involving external partners, is complex and often contentious.
  2. Third-Party Risk Management: The incident highlights the immense risk posed by vendors with access to sensitive user data, regardless of whether their own core systems were breached or if access was gained via compromised credentials or misconfiguration within the client's own ecosystem (like the Zendesk instance).
  3. Scale vs. Disclosure: Discord's initial characterization of the breach involving a "small number" of IDs, later revealed to be 70,000, raises questions about transparency timing during evolving incident response.
  4. Credential Vulnerability: The hacker's claim points to the persistent threat of compromised credentials as a primary attack vector, emphasizing the need for robust multi-factor authentication (MFA) and strict access controls, particularly for support personnel handling sensitive data.

As of now, Discord has not publicly responded to 5CA's denial. The unresolved conflict leaves users impacted by the exposure of highly sensitive government documents caught in the middle, while the broader tech industry watches closely. This incident serves as a stark reminder that in the complex web of modern digital services, understanding where responsibility truly lies when security fails is often the first major hurdle in the aftermath.

Source: Engadget (https://www.engadget.com/cybersecurity/the-company-discord-blamed-for-its-recent-breach-says-it-wasnt-hacked-175536278.html)