How a Breached BPO Account Led to Discord’s Massive 2025 Zendesk Data Breach
Executive Summary
In late September 2025, attackers compromised a support agent account at an outsourced BPO provider and gained unauthorized access to Discord’s Zendesk support platform for 58 hours. Exploiting privileged access, they exfiltrated up to 1.6 TB of data, including approximately 8.4 million support tickets affecting 5.5 million users, with sensitive information such as emails, Discord IDs, phone numbers, partial payment data, and around 70,000 government-ID photos. The threat group leveraged integrations between Zendesk and Discord’s internal systems, extracted additional user details via APIs, and attempted a multimillion-dollar ransom before threatening public data release.
This incident highlights the growing risk from third-party supply chain attacks targeting cloud-based customer support platforms and BPO providers. The attacker's tactics—abusing helpdesk integrations and privilege escalation—reflect broader cybercrime trends, including identity-driven attacks, data extortion, and rising regulatory scrutiny.
Why This Matters Now
With organizations increasingly reliant on external vendors for support operations, supply chain compromises pose significant risks to customer data and regulatory compliance. Robust third-party controls and privileged access management are now urgent priorities to reduce the attack surface for identity-driven breaches.
Attack Path Analysis
Attackers initially compromised a support agent account at a BPO vendor used by Discord, leveraging weak identity protections. They escalated privileges within Zendesk's support instance, obtaining broader access to sensitive dashboards and integration APIs. This enabled them to laterally move through internal applications, accessing more data and support tools. Over 58 hours, they maintained persistence and issued extensive data queries and API calls (command and control). Large volumes of user data, attachments, and government ID images were systematically exfiltrated via legitimate SaaS interfaces. Ultimately, attackers extorted Discord, threatening to leak sensitive personal and financial data, causing reputational and regulatory impact.
Kill Chain Progression
Initial Compromise
Description
Attackers gained access through credentials of a support agent at a third-party BPO providing access to Discord's Zendesk instance.
Related CVEs
CVE-2025-47456
CVSS 4.7An open redirect vulnerability in the WP Gravity Forms Zendesk plugin allows unauthenticated attackers to redirect users to malicious sites.
Affected Products:
CRM Perks WP Gravity Forms Zendesk – <= 1.1.2
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Valid Accounts
Valid Accounts: External Remote Services
Application Layer Protocol: Web Protocols
Credentials in Files
Data from Local System
Automated Exfiltration
Brute Force
Phishing
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Assign and manage user identities
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Access Privileges
Control ID: 500.07
NIS2 Directive – Access Control and Asset Management
Control ID: Art. 21(2)(d)
DORA – ICT Third-Party Risk Management
Control ID: Art. 28
CISA ZTMM 2.0 – Monitor and restrict identity access
Control ID: Identity and Access Management - 2.5.1
GDPR – Security of Processing
Control ID: Art. 32
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Games
Gaming platforms face severe data breach risks through third-party support systems, exposing user credentials, payment data, and government IDs requiring enhanced zero trust segmentation.
Entertainment/Movie Production
Digital entertainment services vulnerable to support system compromises exposing user verification data, requiring strengthened egress security and encrypted traffic protection for customer information.
Information Technology/IT
IT service providers face heightened risks from BPO vendor compromises enabling lateral movement through support platforms, necessitating multicloud visibility and threat detection capabilities.
Outsourcing/Offshoring
BPO providers targeted as attack vectors for downstream customer breaches through compromised support agent accounts, requiring enhanced access controls and anomaly detection systems.
Sources
- Hackers claim Discord breach exposed data of 5.5 million usershttps://www.bleepingcomputer.com/news/security/hackers-claim-discord-breach-exposed-data-of-55-million-users/Verified
- Discord Confirms 70,000 Government IDs Exposed in Third-Party Breachhttps://cyberinsider.com/discord-confirms-70000-government-ids-exposed-in-third-party-breach/Verified
- 5CA denies it was hacked, causing Discord breachhttps://cybernews.com/news/discord-breach-zendesk-partner-5ca-denies-third-party-platform-hack/Verified
- Discord says only 70,000 government ID photos exposed in third-party service breachhttps://www.tomshardware.com/tech-industry/cyber-security/discord-says-only-70-000-government-id-photos-exposed-in-third-party-service-breachVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, granular policy enforcement, east-west traffic controls, and egress filtering could have contained the attack by restricting BPO agent session scope, detecting anomalous activity, and preventing large-scale data exfiltration beyond intended workflows.
Control: Zero Trust Segmentation
Mitigation: Restricted support agent access to only their own customer tickets and functions.
Control: Multicloud Visibility & Control
Mitigation: Anomalous privilege usage detected and alerted in real time.
Control: East-West Traffic Security
Mitigation: Unauthorized internal movement restricted and detected.
Control: Threat Detection & Anomaly Response
Mitigation: Unusual query volume and persistent access patterns rapidly detected.
Control: Egress Security & Policy Enforcement
Mitigation: Automated blocking or throttling of large-scale data egress attempts.
Containment of impact by minimizing breach scope and triggering rapid incident response.
Impact at a Glance
Affected Business Functions
- Customer Support
- Trust & Safety
Estimated downtime: 3 days
Estimated loss: $5,000,000
Approximately 70,000 users had their government-issued ID photos exposed, along with names, usernames, email addresses, IP addresses, and limited billing information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust segmentation for all BPO and third-party identities, restricting access to the minimum needed data and systems.
- • Enforce granular egress policies to detect and block unauthorized large-scale data exports from SaaS or support platforms.
- • Deploy threat detection with baseline anomaly analytics to alert on suspicious privilege changes and excessive API usage.
- • Require strong MFA and session posture checks for all support and integrated SaaS accounts, especially for outsourced vendors.
- • Leverage multi-cloud visibility tools to continuously audit, monitor, and automate incident response across all support and customer-facing environments.
