Summary
Highlights
The content creator verifies the hacker's authenticity by having them reveal specific, hidden details from his Discord support tickets, including internal messages and his user payment history. The hacker provided proof of access to sensitive information like location, email, billing details, and even a redacting phone number from the Discord Zenbar system. The hacker also revealed the content creator's email history with Discord, further solidifying their authenticity.
The hacker claims to have exported over 1.6 terabytes of data, primarily ticket attachments, with hundreds of gigabytes being user transcripts and other user data. They dispute Discord's claim that a 'small number' of government IDs were exposed, stating that while 70,000 users' IDs out of 200 million monthly active users is a small percentage, the emotional impact is significant. The Zenbar access allowed the hacker to obtain billing and user information for approximately 578,000 users, including PayPal emails, credit card providers, and the last four digits and expiration dates of credit cards. Additionally, about 50,000 full phone numbers were leaked through the API, despite being partially redacted in the Zenbar UI. The hacker also shared internal Discord documents, including a list of accounts Discord should not interact with, featuring prominent figures and the content creator himself.
The hacker attributes the breach to Discord's reliance on work-from-home Business Process Outsourcing (BPO) employees for support. They gained access to one such employee's account. Crucially, once inside Discord's ZenDesk, the hacker operated for 58 hours, sending 60 million requests without detection or rate limiting, enabling massive data scraping. This was not Discord's first security incident; a support agent was hacked in 2023, and another employee account was compromised in late August 2024, leading to people obtaining rare usernames and Discord staff badges. The hacker also criticizes Discord for not purging government ID tickets after resolution, leaving sensitive data accessible for months or years.
The hacker initially demanded $5 million from Discord, later reducing it to $3.5 million, but was ghosted by the company. They explicitly stated their goal is monetary and threatened to release or sell the user data, including 'hundreds of thousands of minors' government IDs, if Discord doesn't pay. The hacker aims to portray Discord as the villain for not protecting user data and for potentially being responsible for the leaked information, especially regarding minors.
The content creator warns that leaking government IDs, especially those of minors, creates a severe risk of extortion and worse from predators. He cites a direct message the hacker received suggesting that 'little ones are worth more' for selling IDs. He also states that Discord is unlikely to pay the ransom due to corporate policy reasons, meaning the hacker is likely to eventually leak the data. The hacker has already released a data sample containing emails that could identify minors, making them vulnerable to manipulation. The content creator emphasizes that the hacker will become the 'bad guy' for facilitating predators, regardless of Discord's failings. He also points out the disturbing reality that if the hacker tries to filter out minors, they will inevitably have to sift through CSAM content that may have been submitted in tickets.
Both the hacker and the content creator agree that Discord needs to be held accountable for its security failures, especially given this is their third reported hack. However, the creator argues that the hacker's actions are fundamentally wrong, as they are putting minors at extreme risk to extort money. He concludes that minors should not be caught in the crossfire between Discord's lax security and the hacker's profit motives.