Did you know you can customize Google to filter garbage? Follow these steps for better search results, including adding my work at Lifehacker as a preferred source.
On Friday, October 3, Discord announced that a third-party service provider it uses for its customer service efforts had suffered a breach. It warned that a “limited number of users” who had communications with certain Discord teams were affected, although the “unauthorized party” did not have direct access to any Discord networks.
In this initial announcement, Discord stated that a number of types of user data may have been stolen. This included their names, usernames, email addresses, billing information, last four digits of credit cards, purchase histories, IP addresses, messages with Discord service agents, and “limited corporate data,” such as training materials and internal presentations.
While all of this information is sensitive, it is unfortunately not surprising that it would be part of a breach like this. However, Discord also revealed that hackers may have also gained access to a “small number” of government ID images, including driver’s licenses and passports. As it turns out, that “small number” turned out to be 70,000. Discord confirmed this to The Verge on Wednesday. If you were one of these affected users, Discord will have contacted you by email.
Age verification is a privacy nightmare
Why did a Discord affiliate even have these users’ government IDs to begin with? Age verification. Like many other companies, Discord now restricts certain content to minors. If you are wrongly identified as a minor, you have the right to appeal and prove that you are at least 18 years old. To do this, you need to take a photo of yourself with either a photo ID with your date of birth or a piece of paper with your full Discord username. Discord outsources this work to a third party, which the hackers targeted in this data breach.
What do you think of it so far?
As 404 Media reports, the hackers suggest they recovered even more data than Discord acknowledged. This includes data indicating whether users have been verified or not; users’ cities, states or counties, and countries of origin; information about whether multi-factor authentication is enabled for their account; and last time they were online on Discord.
This event demonstrates the risks of companies requiring users to verify their age when uploading government IDs. Users in Texas must verify their age before they can download apps to their phone, while a number of states require the same before accessing adult websites. No matter where you live, YouTube will use AI to guess your age, and if it’s wrong, you’ll have to prove your age yourself.
The goal is to protect children and underage users from accessing content they shouldn’t see, but in doing so, companies put users at risk: they ask you to trust them with your government IDs, your credit cards, and even your selfies; or, if not them, a third party affiliate. As we can see in this case, a security breach means that tens of thousands of Discord users who were simply trying to prove their age have now exposed their government ID cards. What happens when the entire population of a state faces the same situation? Or that of an entire country?
