Discord says 70,000 photo IDs compromised in customer service breach

Communication platform provider Discord has admitted that around 70,000 users had their government IDs stolen as part of its recent data breach.

The breach, which Discord insists occurred at an unidentified third-party customer service provider, involved government ID scans that users upload to verify their age.

Some countries have introduced legislation requiring platforms to vet users and ensure only those that meet a certain age threshold are allowed access. The most recent example is the UK with its Online Safety Act.

The UK says in-scope platforms, like Discord, must implement mechanisms to verify their users' ages "without collecting or storing personal data, unless absolutely necessary."

Discord's help article on how users can verify their age details two methods.

The first sees users take a photo of themselves holding a photo ID and a piece of paper with their username on it. This process is completed through Discord itself.

Users can also go through the automatic age-checking process provided to Discord by k-ID, a system British teenagers quickly found could be bypassed using a copy of Death Stranding.

It seems likely that the breach affecting around 70,000 government ID scans stems from how data collected during the first verification method was stored.

Discord's help article states clearly – albeit right at the bottom of the page – that "the information you provide will be used solely for age verification purposes and will not be used for anything else."

Regarding how k-ID handles data, it said: "Discord only logs the k-ID age verification results used to unlock your account – it doesn't save your selfie image. For questions about k-ID's processes, please contact k-ID."

We asked Discord why it does not adopt the same approach of only retaining the result rather than the scan when users supply it with their government IDs. We will update the story if it responds.

The revelation that Discord users' government IDs, such as driver's licenses and passports, were compromised is not new in itself, although the 70,000 figure is.

The platform mentioned that an unspecified number of government IDs were involved in the wider breach days ago, although the update with the total number of affected users only came late Wednesday.

Other details about the attack remain unchanged. Users may have had their names, usernames, email addresses, and other contact details stolen if they supplied these to Discord customer support.

Their IP addresses and messages with customer support reps may also have been accessed, and some limited billing data, too, including payment type, the last four digits of a credit card, and purchase history if it's associated with a Discord account.

Some Discord corporate data, like training materials and internal decks, was lifted in what it described as a limited capacity.

Discord said full financial details, user messages outside of those sent to customer support, and passwords or authentication details are all unaffected.

• Study finds radical nutjobs targeting gamers via Discord, Twitch, Steam
• Slack threatened to delete nonprofit coding club's data if it didn't pay $50k in a week
• Yes, Slack isn't working properly right now – enjoy your internet snow day
• Look forward to having a Slack teammate, says Salesforce's Benioff

Each user will be affected differently, as is the case in most data breaches, but they will be told exactly what data concerning them was stolen in the direct comms sent from Discord HQ.

"Looking ahead, we recommend impacted users stay alert when receiving messages or other communication that may seem suspicious," Discord said in its advisory. "We have service agents on hand to answer questions and provide additional support.

"We take our responsibility to protect your personal data seriously and understand the inconvenience and concern this may cause."

Nathan Webb, principal consultant at Acumen Cyber, said the attack shows how cybercriminals are targeting organizations that supply or store data related to age verification, understanding the value of this sensitive information.

"Despite age verification being outsourced, businesses still have an accountability to ensure that data is stored appropriately," he said. "It's important for organizations to recognize that delegating certain processes does not absolve their responsibility to uphold data protection and security standards.

"Proper documentation also plays a crucial role in understanding and managing these risks. It helps to identify which third parties and remote access tools have access to specific systems and data, making it easier to pinpoint areas that require enhanced monitoring and tighter security controls." ®