Discord Hack Exposes 70,000 Users’ Government IDs
▼ Summary
– Discord suffered a breach where hackers stole government ID images of approximately 70,000 users who submitted them for age verification.
– The breach occurred through a compromised third-party customer service provider that Discord used to manage user data.
– Discord requires users to submit government IDs or selfies if they are reported as under the minimum age for their country.
– The company has cut off the vendor’s access and is notifying affected users via email from noreply@discord.com, with no phone contact.
– This incident reflects a growing trend of online services, including Roblox and Twitch, requiring ID submissions, often due to legal age verification mandates.
A recent security incident at Discord has exposed sensitive government identification documents belonging to approximately 70,000 users. The breach occurred through a third-party service provider responsible for managing customer support data, highlighting the growing risks associated with mandatory digital ID verification. Users affected by this incident had previously submitted driver’s licenses or other official identification to resolve age verification appeals with Discord’s support teams.
Discord, like many online platforms, requires certain users to provide photographic proof of their identity to confirm they meet minimum age requirements. This typically happens when other users report someone as potentially being underage for their region. The verification process can involve submitting scanned government IDs or sometimes just a facial selfie, though the effectiveness of facial images for age confirmation remains questionable.
The company acknowledged that an unauthorized party compromised one of its external customer service providers, gaining access to support ticket information that included these sensitive identification documents. This type of data exposure creates what security experts describe as a substantial risk for identity theft, given that government IDs contain precisely the information criminals need to commit fraud.
Upon discovering the breach, Discord immediately revoked the third-party vendor’s access to its ticketing system. The platform is now notifying all affected users via email from their official noreply@discord.com address. Importantly, the company has clarified that it will not make any telephone contact regarding this incident, helping users distinguish legitimate communications from potential phishing attempts.
This incident reflects a broader trend across digital platforms where services increasingly demand official identification documents. Beyond Discord, popular platforms including Roblox, Steam, and Twitch have implemented similar ID verification requirements for certain users. The practice has gained further momentum due to legislation in 19 U.S. states, France, the United Kingdom, and other jurisdictions that now mandate age verification for adult content websites.
While these verification measures aim to protect younger users and comply with legal requirements, the Discord breach demonstrates the significant privacy and security implications of storing sensitive identification documents digitally. As more platforms adopt these practices, the potential attack surface for identity thieves continues to expand, raising important questions about how companies should balance safety requirements with data protection responsibilities.
(Source: Ars Technica)
