5CA denies being hacked after Discord breach claims — what we know

Customer support firm 5CA has pushed back against reports that it was the entry point in Discord’s recent data breach. Discord previously announced a breach affecting a “small number” of government-issued IDs submitted for age verification, later clarifying that roughly 70,000 users’ IDs may have been exposed and naming a third-party vendor involved in support operations.

In a public statement, 5CA said none of its systems were involved and that it did not handle government-issued IDs for the client in question. The company added that the incident occurred outside its systems and that a preliminary investigation suggests the cause may be “human error,” though it gave no specific details.

• Discord originally disclosed a breach that included government IDs like driver’s licenses and passports.
• Discord later identified a third-party support company as connected to the incident and said about 70,000 IDs were affected.
• 5CA denies any systems were compromised and says it did not process government-issued IDs for the client.
• Hackers told BleepingComputer they had access to Discord’s Zendesk for 58 hours via compromised credentials of a support agent from a third party.
• Discord has not publicly responded to 5CA’s denial at the time of this posting.

The conflicting statements highlight the challenges of managing third-party risk in customer support and verification workflows. If the attackers did indeed use compromised agent credentials, the incident underscores the importance of strict access controls, credential hygiene, and monitoring on vendor platforms like Zendesk.

For more context, see the original report on Engadget and coverage at BleepingComputer.

Discussion: Do you think third-party vendors need stricter oversight when handling sensitive user data? Why or why not?