Seventy-thousand. That’s the number of users who may have had their government-issued IDs stolen as part of a major breach of the popular chat and messaging app Discord. While that may seem like a small number when considering Discord has hundreds of millions of users, there is a more concerning factor here — tech companies continuing to require identification from some of its users and the security risk involved in maintaining that information.
What happened in the Discord hack?
Last week, the popular chat and messaging platform Discord announced that a third-party customer support vendor had suffered a breach. Any information that a user provided to a customer support representative with this third-party could have potentially been stolen by a bad actor. Discord said this included usernames, names, email addresses, chats with the customer support team, limited billing information such as the last four digits of a credit card, and photos of a “small number” of government IDs.
On Thursday, Discord updated this notice to include more details, including a specific number of affected users. In total, up to 70,000 users had their government-issued IDs exposed. According to Discord, “Of the accounts impacted globally, we have identified approximately 70,000 users that may have had government-ID photos exposed, which our vendor used to review age-related appeals.”
What are age-related appeals?
In the past, Discord did not collect government IDs from users. However, many states began requiring certain internet apps and services to prove users are not minors, either through a digital ID or facial recognition.
Discord allows users to submit a photo of themselves to prove their age; those pictures are then run through automated age verification systems. These systems estimate the user’s age and either let them proceed on the site or deny them access. Photos submitted are then immediately deleted from the age verification system.
Mashable Light Speed
However, in some cases, these age verification systems get things wrong. Users can then submit an appeal along with a photo of their government ID. Discord’s breach happened when its third-party vendor that processes its appeals was hacked.
As these age verification requirements spread, more sites will be forced to collect more information from users, giving hackers a trove of new information to pilfer.
What now?
As NBC News reports, hackers claiming to be behind the breach have set up a Telegram channel where they posted thousands of users’ names, email addresses, and other sensitive data. Hackers have also posted over 100 photos of individual Discord users holding up their government IDs.
Discord says approximately 70,000 Discord users have had photos of their IDs stolen by hackers who are now attempting to extort the site. The hackers claim to have more than 2,185,000 photos, but Discord has denied that number, claiming the hackers are exagerating to extort a ransom. It’s unclear what actions Discord intends to take at this time.
As age verification laws proliferate, tech companies like Discord will likely have to develop new, more secure methods for verifying their users’ ages.
Will Discord pay a ransom?
As is often the case in high-profile breaches, the hackers are trying to extort a ransom. However, Discord says that it will not pay a ransom or “reward” the cybercriminals responsible. A Discord spokesperson told The Verge, “we will not reward those responsible for their illegal actions.”
Topics
Cybersecurity
Privacy
