Last week, Discord revealed that a security breach had exposed some of its users’ personal information — including government IDs collected for age verification. At the time, the voice chat and messaging platform stated that only a “small number” of IDs were accessed, and that those impacted would be notified by email.
We now know exactly how small of a number this supposedly is, with Discord spokesperson Nu Wexler telling The Verge that approximately 70,000 people may have had their IDs compromised.
“All affected users globally have been contacted and we continue to work closely with law enforcement, data protection authorities, and external security experts,” Wexler told the publisher.
This number may seem comparatively small when you consider that Discord boasts over 200 million monthly active users across the globe. Even so, it’s still an awful lot of people whose government IDs have potentially been accessed without authorisation.
Further, 70,000 is only the number of Discord users whose government IDs may have been exposed, as other personal data was also involved in the breach. This includes users’ names, contact details, IP addresses, purchase histories, and the last four digits of their credit cards. It isn’t clear how many users may have had such information exposed, but fortunately Discord states no full credit card numbers or passwords were accessed.
Though its users were impacted, Discord stressed that the company itself was not breached. Rather, a malicious actor gained access to a third-party service that Discord employs to manage its customer service, then was able to view information concerning users who had reached out to customer support. As such, while some users’ messages were compromised, these were only their conversations with customer support staff. In its original blog post, Discord said it was contacting impacted users, who will receive an email from noreply@discord.com.
While the company alleged in its post the malicious actor had “a view to extort a financial ransom from Discord,” Wexler told The Verge that the company will not pay the ransom, stating that it “will not reward those responsible for their illegal actions.”
Discord introduced age verification in some regions earlier this year, requiring users to either take a selfie or provide a photo of themselves with their ID. (Users quickly found a workaround to this system in July, discovering that it could be fooled by using the photo mode in video game Death Stranding instead of a selfie.) The company partners with k-ID to verify users’ ages, though it’s unclear whether this was the third-party service provider that was compromised. According to Discord, both it and k-ID delete images of users’ IDs immediately after their age is confirmed.
Several governments are implementing age verification laws in an effort to prevent children from being exposed to content which is inappropriate for their age. Unfortunately, research suggests that age verification laws are not only ineffective but also compromise user privacy and safety, as illustrated by Discord’s current situation. Rather than require websites to check users’ IDs, many free speech and privacy advocates suggest on-device age verification as a safer, more effective alternative.
