Starting on Monday, Discord has been reaching out to users affected by a data breach disclosed earlier this year to let them know what Personal Identifying Information (PII) was exposed in the incident.
The breach stemmed from a security breach at a third-party service provider detected on March 29, involving the compromise of an account belonging to a customer support agent.
This incident was subsequently disclosed on May 12 through emails sent to potentially affected individuals.
The attackers gained access to the agent’s support ticket queue, user email addresses, messages they exchanged with Discord support, and support ticket attachments.
In response, Discord says it swiftly reacted to the compromise of the support account by promptly deactivating it after learning of the incident.
According to the letters sent to affected individuals, only 180 users had their sensitive personal information exposed in the attack.
“Discord immediately took steps to address the incident. A thorough investigation was conducted,” the company says in data breach notices filed with the Office of Maine’s Attorney General.
“On June 13, 2023, Discord completed the review of the support tickets involved and determined that one or more of those support tickets contained the personal information of one Maine resident including the individual’s name and driver’s license or state identification card number,” the Discord Privacy Team says in letters mailed to impacted users.
Discord, a highly popular social media and instant messaging platform, claims 150 million active monthly users and roughly 19 million active servers weekly.
BleepingComputer reached out to Discord for more details but did not receive a statement before this article was published.
In related news, a third-party and unofficial invite service known as Discord.io shut down last week after a massive data breach that exposed information belonging to around 760,000 members.
The Discord.io database was put up for sale on the new Breached hacking forums, with the threat actor sharing four user records as proof that the stolen information was authentic.
Sensitive data compromised in the breach includes Discord.io members’ usernames, email addresses, billing addresses (of a limited number of individuals), salted and hashed passwords (affecting a limited number of individuals), and their respective Discord IDs.
“This information is not private and can be obtained by anyone sharing a server with you. Its inclusion in the breach does, however, mean that other people might be able to link your Discord account to a given email address,” Discord.io explained at the time.