Heads up I made a lot of this post with AI, but it’s all completely legit and accurate. I just fed AI the details and facts and had it compile everything in a nice organized manner. If not it would just be a wall of me ranting and going off topic haha
So anyway, I am posting this as a running reference for anyone trying to keep track of all the Discord-related data breaches that seem to be happening daily now. I’ll update as new ones surface and others develop. Comments and corrections welcome. If you know of a leak I missed, post it. This is going to be a master thread on every Discord breach known. If you hear about a leak before it hits mainstream, definitly post that!
2022 third-party customer support breach (disclosed May 2023)
A third-party customer support agent’s account got compromised, almost certainly via phishing. The agent’s support ticket queue contained user email addresses, the contents of every message that user had exchanged with Discord support, and any attachments sent along with those tickets.
Timeline as it played out: Discord said it learned of the incident, deactivated the compromised account, and ran malware checks on the affected machine all in the same window. Notification emails went out to impacted users about a week later. The notice itself was vague on numbers, exact dates, and how access was obtained. Most of what the public knows came from copies of the user notification emails that affected people shared online, and from later reporting by BleepingComputer and SecurityWeek.
Sources: https://www.bleepingcomputer.com/news/security/discord-discloses-data-breach-after-support-agent-got-hacked/ and https://securityaffairs.com/146171/data-breach/discord-suffered-data-breach.html
-
-
2022 NFT server compromises via MEE6 bot
Not a Discord breach in the strict sense, but a bot breach that hit Discord users hard. In May 2022, attackers exploited MEE6 (one of the most widely-used Discord bots, on millions of servers) to push fake NFT mint scam messages through compromised admin accounts on big NFT project servers.
Timeline: The compromises rolled out across dozens of NFT-project servers over a couple of weeks. On-chain analyst NFTherder traced 26 of roughly 70 hacked NFT servers back to MEE6-related compromise, including RTFKT (Nike), Memeland (9GAG), Moonbirds (Proof), and CyberConnect. MEE6’s team initially denied a platform breach and pointed to a compromised employee account. The pattern repeated throughout 2022 with different bots, which is the actual takeaway: bots inherit admin trust, so compromise of a popular bot or its operator can fan out across thousands of servers without Discord itself being touched.
-
-
2024 Spy.pet mass scraping (April 2024)
A site called Spy.pet had been running since around November 2023, quietly scraping public Discord servers and selling lookups for crypto. The scope only became public in mid-April 2024. By the time researchers and journalists got to it, Spy.pet claimed data on 620 million users across 14,000 servers, and over 4 billion messages indexed and searchable.
Timeline: April 16, 2024, StackDiary published the initial writeup. 404 Media followed a day later confirming the service was selling real Discord messages, voice channel logs, and join/exit timestamps for as little as $5 per lookup, and was advertising an “enterprise” tier (reportedly including data sold to Kiwi Farms and offered for AI training). Discord acknowledged it was investigating. Over the next ten days the server count Spy.pet claimed access to dropped from 14,000 to 12,000 to zero by April 25. Discord confirmed it had banned the affiliated accounts and was considering legal action. By April 26 the website was offline. The operator claimed on Telegram they’d set up a backup domain. As of now the original site has not returned.
Source: https://www.404media.co/discord-shuts-down-spy-pet-bots-that-scraped-sold-user-messages/
-
-
Token-stealer malware (ongoing)
This isn’t one breach, it’s a recurring pattern. Malicious npm and PyPI packages keep showing up that are designed specifically to steal Discord tokens off developer machines. Tokens are full account credentials with no password needed, so a stolen token is a hijacked account.
Timeline of the pattern, just to show how steady this is: November 2021 (CursedGrabber family), late 2022 (JFrog disclosed 17 npm packages including discord-lofy and discord-selfbot-v14 masquerading as forks of discord.js), 2022 LofyLife (Kaspersky disclosure of Volt Stealer and Lofy Stealer combos that also grabbed payment card details), and most recently February 2026 (JFrog disclosed duer-js running Bada Stealer, which hijacks Discord’s Electron debugger to scrape email, password, tokens, and 2FA codes straight out of memory). Same playbook every time: typosquat or impersonate a legit package, postinstall script ships the token off via webhook.
Sources: https://jfrog.com/blog/malicious-npm-packages-are-after-your-discord-tokens-17-new-packages-disclosed/ and https://cyberpress.org/duer-js-delivers-bada-stealer/
-
-
2025 third-party customer service breach (disclosed October 3, 2025)
The recent one. Same pattern as the 2022 incident: not Discord itself, but a customer support vendor. This time the vendor is named (5CA) and the impact is much bigger and worse.
Timeline: The intrusion happened in September 2025. Discord disclosed it on October 3, 2025. The actor compromised the vendor’s access to Discord’s ticketing system and exfiltrated data from users who’d contacted Customer Support or Trust & Safety. Discord said the attacker’s motive was extortion. Approximately 70,000 users had government-ID photos exposed (these were submitted by users appealing age-related decisions, which the vendor was processing). Other potentially exposed data: names, Discord usernames, email and contact info, IP addresses, support ticket messages, last 4 digits of payment cards, and some internal Discord training materials and presentations.
Discord revoked the vendor’s access immediately, engaged law enforcement, and started emailing affected users from noreply@discord.com. The company explicitly warned that no other contact channel (phone, social media DM) would be used, because phishing attacks impersonating Discord support spiked the week after disclosure. As of now there’s no public number on total impacted users beyond the 70,000 government-ID figure.
Sources: https://discord.com/press-releases/update-on-security-incident-involving-third-party-customer-service and https://www.infosecurity-magazine.com/news/discord-data-breach-third-party/
-
-
-
-
What to do, broadly
Assume your Discord data has appeared in at least one of these. Rotate your token (log out and back in everywhere). Enable 2FA. Audit which third-party bots and apps have access to your account at Settings > Authorized Apps and revoke anything you don’t actively use. If you’ve ever submitted ID documents to Discord support, assume those are at risk.
had no idea this even happened. is there a way to know exactly which support ticket got leaked or do they not tell you that part? would love to know what was in mine que stress