Discord says that hackers made off with images of 70,000 users’ government IDs that they were required to provide in order to use the site.
Like an increasing number of sites, Discord requires certain users to provide a photo or scan of their driver's license or other government ID that shows they meet the minimum age requirements in their country. In some cases, Discord allows users to prove their age by providing a selfie that shows their faces (it’s not clear how a face proves someone’s age, but there you go). The social media site imposes these requirements on users who are reported by other users to be under the minimum age for the country they’re connecting from.
“A substantial risk for identity theft”
On Wednesday, Discord said that ID images of roughly 70,000 users “may have had government-ID photos exposed” in a recent breach of a third-party service Discord entrusted to manage the data. The affected users had communicated with Discord’s Customer Support or Trust & Safety teams and subsequently submitted the IDs in reviews of age-related appeals.
“Recently, we discovered an incident where an unauthorized party compromised one of Discord’s third-party customer service providers,” the company said Wednesday. “The unauthorized party then gained access to information from a limited number of users who had contacted Discord through our Customer Support and/or Trust & Safety teams.”
Discord cut off the unnamed vendor’s access to its ticketing system after learning of the breach. The company is now in the process of emailing affected users. Notifications will come from noreply @ discord.com. Discord said it won’t contact any affected users by phone.
The data breach is a sign of things to come as more and more sites require users to turn over their official IDs as a condition of using their services. Besides, Discord, Roblox, Steam, and Twitch have also required at least some of their users to submit photo IDs. Laws passed in 19 US states, France, the UK, and elsewhere now require porn sites to verify visitors are of legal age to view adult content. Many sites have complied, but not all.
One such site is Pornhub, which said two weeks ago that it would block access to people trying to visit its site from these jurisdictions rather than comply with a law that opens it and its users to threats and normalizes the disclosure of personally identifiable information across the Internet.
“It also creates a substantial risk for identity theft,” Pornhub said. “Since age verification software requires users to hand over extremely sensitive information, it opens the door for the risk of data breaches. Whether or not your intentions are good, governments have historically struggled to secure this data. It also creates an opportunity for criminals to exploit and extort people through phishing attempts or fake AV processes, an unfortunate and all too common practice.”
The ongoing explosion of data breaches continues to hit online services and their users hard. If Fortune 500 companies are routinely hacked and their sensitive data is put up for sale, what’s the basis for thinking smaller organizations, such as the one storing Discord users’ IDs, won’t suffer the same fate? With access to face photos, birth dates, addresses, and other information belonging to potentially millions of people, hackers stand to benefit the most from the move to require photo IDs as a condition for using a site. When the data can be linked to use of porn or other taboo services, the value of the data only rises.
There’s little recourse people can take to protect themselves against this threat, other than opting to stop using sites that require such data. While use of VPNs that mask users’ true geographic location is viable in many cases, that remedy is likely to become less effective as sites begin blocking the IP addresses VPN users are assigned. The best advice for people who have submitted IDs to Discord or any other service is to assume they have been or soon will be stolen by hackers and put up for sale or used in extortion scams.
Discord is advising affected users to “stay alert when receiving messages or other communication that may seem suspicious.” Given we live in an age when organizations hand over authentication credentials when asked nicely by teenage threat actors, it’s not clear how effective this advice is. Discord said it has service agents available to answer questions and provide support.
DC K.O. #1 Reveals Why the Justice League Is Fighting a Death Tournament, and You Won't Believe Who Loses in the First Round