Discord Says 70,000 Users May Have Had Their Government IDs Leaked In Breach (theverge.com) 48
An anonymous reader quotes a report from The Verge: Discord has identified approximately 70,000 users that may have had their government ID photos exposed as part of a customer service data breach announced last week, spokesperson Nu Wexler tells The Verge. A tweet by vx-underground said that the company was being extorted over a breach of its Zendesk instance by a group claiming to have "1.5TB of age verification related photos. 2,185,151 photos." In its announcement last week, Discord said that information like names, usernames, emails, the last four digits of credit cards, and IP addresses also may have been impacted by the breach. "All affected users globally have been contacted and we continue to work closely with law enforcement, data protection authorities, and external security experts," said Wexler. "We've secured the affected systems and ended work with the compromised vendor. We take our responsibility to protect your personal data seriously and understand the concern this may cause."
ID Verification (Score:5, Insightful)
Re: (Score:2)
It's supposed to be a disaster so then governments can say 'Oh dear, it was a disaster' and push for official Digital ID.
You need to learn to think like a burrowcrat.
Re: ID Verification (Score:2)
KYC bullshit (Score:5, Insightful)
This is EXACTLY why people fight against these stupid rules and laws like KYC, age verification, gun registration, etc. It's all theater that doesn't solve the real problems.
It only serves to support identity theft, extortion, invasion of privacy, and Rights violations. The criminals keep doing what they're doing because nothing changes for them. Lawmakers proving once again they're Grade-A greedy morons.
Re: (Score:3)
just verify your age bro it's no different than showing a bartender
some politician/spokegoon is out there sincerely making the meatspace comparison as we speak
It *should* be no different than showing a bartender. The problem is that we don't have strong data privacy laws in this country that prohibit retaining customer data beyond what is strictly necessary.
Those government IDs should have been sent as data directly to a printer along with the person's user ID, and a human being should have looked at it, pointed their phone at a high-density barcode or QR code or whatever, tapped "Approve" or "Deny", and then put it in the shred bin. Rinse, repeat.
There is abso
Re: (Score:1)
I'm glad we're grouping regulating deadly weapons in with discord age checks. I'm sure conflating one of your favorite partisan issues with this is bound to get everyone on board with your point.
Re: (Score:3)
Except one is regulating deadly weapons and one isn't. Nice try though.
Re: (Score:2)
The reason governments register guns is to confiscate them. It serves no other purpose.
The reason governments demand age verification is to introduce Digital ID. It serves no other purpose.
Yes, they're two separate and distinct things exactly as I was saying.
Re: (Score:1)
If a gun is found at a crime scene, the investigators should be able to at least find the last legal owner. Not reporting stolen or missing guns should be a gun-revokable offense.
Re: (Score:2)
I'm letting them run with their nonsense use of language as it doesnt make a difference to my point. Ask them to justify it.
Retention (Score:5, Insightful)
Why are these data being retained?
Once the age verification check has been completed, the information should be discarded.
Re: (Score:3)
I would not be surprised if it is for something nefarious like the AI training fad or selling the information. And/or for providing the data to law enforcement at request.
Re:Retention (Score:5, Interesting)
i guess as proof of due dilligence, oh the irony. this whole thing is a mess.
Re: (Score:2)
Re: (Score:2)
Its simple. If one of the subscribers sued Discord saying that "I was underage at the time but you let me in anyway" there is no way Discord could prove they did their dill diligence. If they deleted the information, the plaintiffs could claim, even if there is a policy to do the deletion, that Discord didn't 100% verify. The plaintiffs have proof they were underage and Discord just has a policy. If they have the the photo ID, Discord can say this is what they got and if it isn't the plaintiffs ID then
Re: (Score:1)
They could create a key/code/whatever from the info on the document presented and store that, preferably off-line.
If someone later needed proof that they had done the age verification check, that coded info could be de-coded and presented to whomever.
There certainly isn't any reason to store that information, coded or otherwise, in an internet accessible location until the end of eternity.
Re: (Score:2)
Hashes would be perfect for this. Take the ID number, hash it, store the hash. If you need to verify, hash the ID number and compare it to the recorded one. Still no need to store _anything_ like an ID.
Also, don't hire third party companies to do it. They won't get it right. They never have. They never will. After all, it's not _them_ on the line if there is a breach. Somehow the third parties always seem to slip past the blame and liability and it all goes to the ones who hire them.
Priceless. (Score:3)
Re: (Score:2)
The UK now requires them to check ID before allowing access to some content. For sites like Discord that effectively means everyone needs to present ID, because they don't want to control what people say on their site before publishing it.
Let's see how many UK users who verified their age are in there, and what the fallout is.
Re: (Score:2)
Fallout? LOL. Nothing is getting rolled back. This is just one of the steps to a digital ID that will be required to even get online. You know it's coming one day.
Re: (Score:2)
Discord can blame someone else all they want, they are ultimately the one responsible with your data.
Why the blind trust in tech? (Score:4, Interesting)
It started off as a tool as trustable as a shovel. Want to move dirt? Use a shovel.
Want to put data in a database? Use this screen.
Now? Software and devices are shackles to your service provider.
Xhitter became toxic? Let's all go to Discord. They are for sure trustworthy.
They would never mine our data, raise rates, or
FOR SURE!!
Why such blind trust?
Nobody seems to be able to see any of the downsides of software and services.
Any mention of the negatives is hand waved away, until this happens. This always happens.
Just because it's an option, does it mean you should take it?
Re: (Score:2)
Think of how dumb the average person is, then realize that 50% of people are dumber then that. And they get to vote!
Re: (Score:2)
<runs screaming from the room>
Bullshit (Score:2)
"We take our responsibility to protect your personal data seriously" - Not if you are using third party vendors to save a buck. Such bullshit.
suitability (Score:4, Insightful)
is a face photo really suitable for age verification ? Can it reliably distinguish between an 18yo and a 19yo ? is it better than a photo of, say, the back of the hand
What are the odds that these photos were not encrypted or even cropped to be just a thin strip of image instead of the full face
Re: (Score:3)
is a face photo really suitable for age verification ?
No, but for age verification, these photos will be of entire driving licences or passport pages, so they contain DoB and other data.
Who'd've thought that they'd be vague about what exactly the photos are of.
Re: (Score:2)
Its funny that my pharmacy doesn't even look at my ID anymore. They just swipe it in their system and hand it back. I mean, you could of at least LOOKED at the name to make sure its the same as the order.
What's worst is there is a nice 2D, signed, barcode on the back. You can 100% verify the ID is genuine using that. Except everyone just uses the magnetic strip. What makes it more depressing is there is a third stripe on the card that does contain a hash, but most readers only use the two. It makes me
All According To Plan (Score:2)
Governments around the world would not wish for lawfully private data to fall into some AI database somewhere that is contracted to the same gov't, purely for writing assitance.
Re: (Score:2, Informative)
And in the U.S., the DOGE maggots have already siphoned off your SS data to Peter Thiel and Palantir.
For the record: UK only (Score:4, Interesting)
According to Discordâ(TM)s own QA page:
Q: Is Discord introducing mandatory age verification or ID checks?
A: The United Kingdom's Online Safety Act (âoeOSAâ) introduces new responsibilities for online platforms to reduce safety risks and provide age-appropriate experiences for users, especially teens. In compliance with the UK OSA, all new and existing UK users will be assigned updated default settings.
These defaults include automatic content filtering (which is already enabled for teens everywhere) to reduce the likelihood that teens encounter certain types of potentially harmful content, as well as different social settings. UK users who wish to access content flagged by our filters or customize those settings can do so only after verifying that they are 18 or older through our new privacy-forward age verification experience.
Our new privacy-forward age verification experience is required in specific scenarios that meet the OSAâ(TM)s requirements, while building on our commitment to fostering genuine connections and a positive online experience. Check out our Safety Center article to learn more about why we are making these changes due to the UK OSA.
Age verification is currently only available to UK users. For more info, please visit our Help Center article.
Not UK only. (Score:3)
Re: (Score:2)
Legal? (Score:2)
Re: (Score:2)
Just two letters. UK, They passed a law, Online Safety Act 2023, that requires age verification to prevent minors from getting "accessing harmful material"
Do a web search for "How to get around the Online Safety Act" and it will be all laughs.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
They deserve it (Score:3)
If you are ignorant enough to hand over a copy of your ID to a 3rd party, you deserve what's coming after.
There should be a central government run ID verification system where the user identities through the govt who already have your details but where the end system only gets a yay or nay response, without having access to your data.
3rd parties fundamentally cannot be trusted with your sensitive data.
Another issue here is that scanning your ID should never have been the means to prove your identity in the first place. Your ID should only be valid when presented in person right next to the same face. Because if a copy is enough, then anyone holding it can pretend to be you just like you would.
AND THERE IT IS. (Score:2)
Nope. I get it, some countries require ID verification now. But verify then destroy the data. Nope Discord did exactly what everyone with a brain thinks they would do - hoard the data to later be 'stolen.'
I heard this legend before (Score:1)
I'm cynical but... (Score:1)
...consider their motivation to make age verification seem to be impossible to implement.
They don't want to do it. So best to have a few "accidents" along the way.