Government IDs of 70,000 Discord Users May Have Been Exposed
Did you know you can configure Google to filter out junk? Follow these steps to improve your search results, including adding my work on Lifehacker as a preferred source .
On Friday, October 3, Discord announced a hack of the third-party service provider it uses to support its customers. The company warned that the vulnerability affected a “limited number of users” who communicated with certain Discord teams, although the “unauthorized user” did not gain direct access to any Discord networks.
In its initial statement, Discord stated that a range of user data may have been stolen. Specifically, this included names, usernames, email addresses, payment information, the last four digits of credit cards, purchase history, IP addresses, correspondence with Discord agents, and “a limited set of corporate data,” such as training materials and internal presentations.
While all this information is confidential, it’s unfortunately unsurprising to see it in a leak like this. However, Discord also reported that hackers may have accessed a “small number” of government-issued ID images, including driver’s licenses and passports. As it turns out, that “small number” was 70,000. Discord confirmed this information to The Verge on Wednesday. If you were among the affected users, Discord has likely already contacted you via email.
Age verification is a privacy nightmare.
Why did Discord’s partner need these users’ IDs in the first place? Age verification. Like many other companies, Discord now restricts certain content for minors. If you’re mistakenly identified as a minor, you can appeal and prove you’re at least 18 years old. To do this, you’ll need to take a photo of yourself holding a photo ID with your date of birth or a piece of paper with your full Discord username. Discord outsourced this work to a third-party organization, which was the target of this data breach.
According to 404 Media , hackers believe they stole even more data than Discord admitted. This includes information about whether users were verified; their cities, states, counties, and countries of residence; whether multi-factor authentication was enabled for their account; and the time of their last visit to Discord.
This event highlights the risks associated with requiring companies to verify users’ ages by uploading government-issued IDs. In Texas, users must verify their age before downloading apps to their phones, and several states require the same to access adult websites. Regardless of where you live, YouTube will use artificial intelligence to determine your age , and if it’s wrong, you’ll have to verify your age yourself.
The goal is to protect children and minors from accessing content they shouldn’t have. But by doing so, companies put users at risk: they ask you to trust them with your IDs, credit cards, and even selfies; or, if not them, then third-party affiliates. As we see in this case, due to a security vulnerability, tens of thousands of Discord users who were simply trying to verify their age have now exposed their IDs. What happens when the population of an entire state? Or an entire country?