70,000 Discord users may have had their government ID photos compromised following a cyber attack on one of its “third-party vendors.”
As part of the company’s legal obligation to comply with the UK government’s new Online Safety Act and the EU’s Digital Services Act, Discord — which boasts over 200 million users worldwide — required users to confirm their ages through a third-party agency called 5CA. While different platforms use different authentication methods, some require a photo of government-issued ID, such as a driving licence or passport to proof a user’s age. It’s these scans from users who had been in touch with Discord’s customer service team that have been compromised.
While Discord initially told us that a “limited number of users” had been impacted, a further update yesterday reveals “approximately 70,000 users that may have had government-ID photos exposed, which our vendor used to review age-related appeals.”
Cyber Security News, however, puts the number of those impacted much higher, claiming Discord faced “an extortion attempt” following the “significant” data breach on September 20 when hackers had access to the system for 58 hours. They claim to have stolen 1.5 terabytes of sensitive data, including over 2.1 million government-issued identification photos used for age verification, affecting “5.5 million unique users across 8.4 million support tickets.” This is considerably more than Discord’s estimate of 70,000.
Information possibly leaked includes:
- Name, Discord username, email and other contact details if provided to Discord customer support
- Limited billing information such as payment type, the last four digits of your credit card, and purchase history if associated with your account
- IP addresses
- Messages with our customer service agents
- Limited corporate data (training materials, internal presentations)
- The unauthorized party also gained access to a small number of government‑ID images
Discord assured users that full credit card numbers or CCV codes were not involved, nor were Discord messages, posts, or any password/authentication data. Anyone who has been impacted can expect a direct email from Discord.
“Discord has and will continue to take all appropriate steps in response to this situation. As standard, we will continue to frequently audit our third-party systems to ensure they meet our security and privacy standards,” the company said, adding that it had notified relevant data protection authorities, “proactively engaged with law enforcement to investigate this attack,” and reviewed its threat detection systems.
“Looking ahead, we recommend impacted users stay alert when receiving messages or other communication that may seem suspicious,” Discord added. “We have service agents on hand to answer questions and provide additional support. We take our responsibility to protect your personal data seriously and understand the inconvenience and concern this may cause.”
Photo by Artur Widak/NurPhoto via Getty Images.
Vikki Blake is a reporter for IGN, as well as a critic, columnist, and consultant with 15+ years experience working with some of the world’s biggest gaming sites and publications. She’s also a Guardian, Spartan, Silent Hillian, Legend, and perpetually High Chaos. Find her at BlueSky.
Source link
