Hack of age verification firm may have exposed 70,000 Discord users’ ID photos

Government ID photos of about 70,000 global users of Discord, a popular messaging and chat platform among video gamers, may have been exposed after hackers compromised a company contracted to carry out age verification checks. Some users’ names, email addresses and other contact details, IP addresses and messages with Discord’s customer service agents may also have been taken. The attacker has been trying to extort a ransom from the company. No full credit card details or passwords were seized. The breach was made public last week but the potential number of lost photo IDs emerged on Wednesday. A spokesperson for the UK’s Information Commissioner’s Office, which regulates data breaches, said: “We have received a report from Discord and we are assessing the information provided.” The photos that may have been taken were provided by users making age-related appeals to Discord’s customer services contractor in cases where they may have been locked out of the decade-old platform, which allows people to hang out through text messaging or voice and video chat. Some countries, including the UK, require social media and messaging providers to carry out age checks to ensure child safety. In the UK this has been the case since July under the Online Safety Act. Cybersecurity experts have warned of a risk that some providers of such checks, which can require government IDs, are becoming hacker targets with bad actors aware of the high volume of sensitive data. “Recently, we discovered an incident where an unauthorised party compromised one of Discord’s third-party customer service providers,” Discord said in a statement. “The unauthorised party then gained access to information from a limited number of users who had contacted Discord through our customer support and/or trust and safety teams … Of the accounts impacted globally, we have identified approximately 70,000 users that may have had government ID photos exposed, which our vendor used to review age-related appeals.” Discord required people who needed to prove their age to get back on to the platform to upload an image of their photo ID and Discord username. Nathan Webb, a principal consultant at the UK digital security company Acumen Cyber, said the breach was “very concerning”. “Despite age verification being outsourced, businesses still have an accountability to ensure that data is stored appropriately,” he said. “It’s important for organisations to recognise that delegating certain processes does not absolve their responsibility to uphold data protection and security standards.”