Another Day, Another Age Verification Data Breach: Discord’s Third-Party Partner Leaked Government IDs
from the seems-bad dept
Once again, we’re reminded why age verification systems are fundamentally broken when it comes to privacy and security. Discord has disclosed that one of its third-party customer service providers was breached, exposing user data, including government-issued photo IDs, from users who had appealed age determinations.
Data potentially accessed by the hack includes things like names, usernames, emails, and the last four digits of credit card numbers. The unauthorized party also accessed a “small number” of images of government IDs from “users who had appealed an age determination.” Full credit card numbers and passwords were not impacted by the breach, Discord says.
Seems pretty bad.
What makes this breach particularly instructive is that it highlights the perverse incentives created by age verification mandates. Discord wasn’t collecting government IDs because they wanted to—they were responding to age determination appeals, likely driven by legal and regulatory pressures to keep underage users away from certain content. The result? A treasure trove of sensitive identity documents sitting in the systems of a third-party customer service provider that had no business being in the identity verification game.
To “protect the children” we end up putting everyone at risk.
This is exactly the kind of incident that privacy advocates have been warning about for years as lawmakers push for increasingly stringent age verification requirements across the internet. Every time these systems are implemented, we’re told they’re secure, that the data will be protected, that sophisticated safeguards are in place. And every time, we eventually get stories like this one.
The pattern reveals a fundamental misunderstanding of how security works in practice versus theory. Age verification proponents consistently treat identity document collection as a simple technical problem with straightforward solutions, ignoring the complex ecosystem these requirements create. Companies like Discord find themselves forced to collect documents they don’t want, storing them with third-party processors they don’t fully control, creating attack surfaces that wouldn’t otherwise exist.
These third parties become attractive targets precisely because they aggregate identity documents from multiple platforms—a single breach can expose IDs collected on behalf of dozens of different services. When the inevitable breach occurs, it’s not just usernames and email addresses at risk—it’s the kind of documentation that can enable identity theft and fraud for years to come, affecting people who may have forgotten they ever uploaded an ID to appeal an automated age determination.
Discord, to its credit, appears to have responded appropriately to this incident:
The company is notifying impacted users now over email. If your ID might have been accessed, Discord will specify that. Discord also says it revoked the support provider’s access to Discord’s ticketing system, has notified data protection authorities, is working with law enforcement, and has reviewed “our threat detection systems and security controls for third-party support providers.”
But the fundamental problem remains: we’re creating systems that require the collection and storage of highly sensitive identity documents, often by companies that aren’t primarily in the business of securing such data. This isn’t Discord’s fault specifically—they were dealing with age verification appeals, likely driven by regulatory or legal pressures to prevent underage users from accessing certain content or features.
This breach should serve as yet another data point in the growing pile of evidence that age verification systems create more problems than they solve. The irony is that lawmakers pushing these requirements often claim to be protecting children’s privacy, while simultaneously mandating the creation of vast databases of identity documents that inevitably get breached. We’ve seen similar incidents affect everything from adult websites to social media platforms to online retailers, all because policymakers have decided that collecting copies of driver’s licenses and passports is somehow a reasonable solution to online age verification.
The real tragedy is that this won’t be the last such breach we see. As long as lawmakers continue pushing for more aggressive age verification requirements without considering the privacy and security implications, we’ll keep seeing stories like this one. The question isn’t whether these systems will be breached—it’s when, and how many people’s sensitive documents will be exposed in the process.
Just as states across the country are ramping up their age verification mandates, we get another reminder of why privacy advocates have been screaming about these policies from the rooftops. Each new law creates more pressure for platforms to collect more documents, stored by more third parties, creating more opportunities for exactly this kind of breach.
Perhaps it’s time to admit that the cure—requiring platforms to collect and store government IDs—might be worse than the disease.
Filed Under: age verification, breach, driver's license, privacy, protect the children, security, security theater
Companies: discord
Comments on “Another Day, Another Age Verification Data Breach: Discord’s Third-Party Partner Leaked Government IDs”
Age verification doesn’t require you to store them. Honestly, storing them long term should be illegal, with significant penalties.
Age verification does open up new attack vectors, but this one literally does not need to exist.
(Never mind that it sounds like these were stored plain
Re:
… Comment posted early. Apologies on the formatting.
That last quote was meant to say that a third party customer support team absolutely should be in the business of securing that kind of data. Identity verification comes up in other cases w.r.t. account appeals, and they also have to store other sensitive data (like credit cards).
Age verification laws create a much bigger database and higher stakes, but this isn’t really acceptable. The normalization of sensitive data being constantly leaked is insane. At this point my ID is going to join other sensitive info like my Social Security number. Assuming my ID itself hasn’t already leaked from a government breach.
Re:
It shouldn’t require you to store them, but I’m guessing some state’s/country’s laws require it be stored so that it can be audited later. i.e., just saying that they passed verification would not be sufficient. Auditors are pissy like that.
Re: Re:
The UK’s law doesn’t requiring storing them, but yeah, I’m sure it’s only a matter of time before some state doesn’t bother to think it through.
But even then, there are so many potential mitigation steps. Encryption, only using cold storage, requiring employee physical 2FA to access them, etc. None of them are perfect, but it’d be a huge improvement, if people took it seriously. Honestly if they were at least encrypted I wouldn’t be that upset, it’s the absolute bare minimum.
(And honestly, the fact that the government itself doesn’t handle the long term storage/verification is it’s own rant.)
Re:
Since it was only for appeals, I guess IDs were stored until issues were resolved (which can take days or weeks).
But as password are always (well, should always) stored encrypted, it should be the same thing for IDs, with only Discord, or the trusted third party, having the encryption key (an an unique one for each ID).
Re:
It won’t be. It’s far too profitable for companies to sell that data to third party data brokers. That’s why they get stored in the first place.
Re:
Of course it’s Discord’s fault. It’s disingenuous to suggest it isn’t Discord’s fault
It can’t be anything other than Discord’s fault
They chose the provider, they chose the means of age verification to be as intrusive as possible, their chosen provider would have made their terms for data theft/biometric data theft (and that’s what it is) clear to Discord during negotiations and how said data theft provider’s operation would monetize said data theft later
Discord are data thieves. They chose the method of data theft to be biometric and they chose the supplier of said data theft service
The only issue is that someone else stole the information they’d already stolen for storage for later monetization
Discord is not responding appropriately.
They have updated their tos and are forcing users to sign it and give up their right to sue.
“The real tragedy is that this won’t be the last such breach we see.”
No, it won’t. And mindful of Bruce Schneier’s admonition that “attacks always get better – they never get worse” I fully expect that the next phase of these will involve fake/shell companies set up expressly for the purpose of collecting this data and selling to anyone who can pay, then announcing that they’ve been hacked, then shutting down (while keeping the profits of course) and reconstituting themselves as a different fake/shell company in order to repeat the process.
The "children"
When you REQUIRE people to PROVIDE information that is not materially public, only two things will happen. One – nothing. Two – that information will go to people who shouldn’t have it, because 100% security only exists when you kill everyone who knows it. (Sicillian joke ref.)
So asking for “government-issued photo ID” already requires much more info than is necessary. Why must it be a “photo” ID? One more whine then the answer. And I cut out the “valid” part because all these websites AND TSA AND the airports won’t accept “expired” documents. So while I do have a driver’s license and it DID verify my permission to drive on public highways in my ONE STATE of the union, it no longer is usable to board an aircraft.
The real answer is that the government ought to offer a verification service, much as they do for EIN/SSNs. Then NOBODY needs to PROVIDE anything to anyone that can be hacked.
Verification, authentication, authorization, security, these are not new concepts.
Ignoring all of the concepts and having people “submit” (key word there) a copy of something that can be hacked… that’s the problem.
E
Excuses for violating societal norms inevitably point to preventing harm to the children. But of course they don’t. Children are not the oftentime victims politicians the media claim them to be.
And when it’s not about the children, it’s about the terrorists. They are not the “baddies” that politicians and the media claim them to be.
ALWAYS BLAME THE TERRORISTS (you know, like drug runners on a speedboat in international waters in Central America) or ALWAYS PROTECT THE INNOCENT LOVELY CHILDREN (who aren’t at all affected by most of this stuff).
And if none of that works, Article II.
I use online generated SSNs, driver’s license IDs, medical RXs, etc. Yeah, it’s against the law. But my real data stays safe.
This was always going to happen and will happen again.
Age verification laws by default need to contain that you don’t store all the data and make it illegal to store all the data they gain through the process of verifying all your data.
In australia they are bringing in digital id’s which will probably get connected to age verification.
It will be hacked, it will be stolen the thought that every single piece of information that can be used to verify who I am will be stored in one place terrifies me.
we already have a system online called myGov.au that is connected to social security and tax systems
Guess what I get the most spam about. People pretending to be myGov.au to attempt to get my log in details.
As Bruce Schneier says, data is a toxic asset.
Mandatory online age verification laws are like forcing business owners to store toxic waste on their premises. Of course it’s going to leak.
Pretty sure this is just because those nerds didn’t nerd hard enough. If we just pass a law mandating that they nerd harder everything will work out perfectly.
And hey, if it doesn’t, that’s a culture war wedge issue that can be exploited to stoke fear among the voters of spooky cyber criminals on the loose. If they actually fixed the issue there’d be nothing to campaign on.
Re:
You’re joking, but this could in fact have been mitigated by using industry standard practices for sensitive data.
Hashed ID?
Not commenting on the validity of the reasons for age verification, but…
Couldn’t they just verify the government ID once, then take the key fields (name, birthday, address, license number, expiry date) then make a salted hash of the ID document? This would allow the verification to be retrospectively proved, but would be less useful to hackers… and would allow future verifications with less intrusive information (say a device-specific passkey)?
Also, this would be revokable, unlike biometrics….
Re:
Yes (although you may want to store the actual photo of the person, not just pure text. If not the entire photo of the ID, just the photograph portion).
There are still some downsides like having to give up anonymity. But it would still be much better than just storing it naively. There is some research being done on this (see e.g. here, a paper from Steve Bellovin at Georgetown).
"They"
All irrelevant shit. Blackhats WILL get your data if you’re required to provide it. THAT is the point of the discussion. Read the damn article.
Specifically:
Who is the “they” you trust with the original data? What is this “government ID” you think of?
What “license number” and since you couldn’t be bothered to read my post above, I’ll say “Why should my identification document ever expire or need to be renewed”???
Salted hash? Thanks 1975. Didn’t realize you were calling. Encryption schemes are far beyond that now. FIPS 203 and 204 aren’t quite as stupid as “hash with salt.”
YOU ENTIRELY MISSED THE POINT. When you give away data it WILL get stolen. The key is not “how to encrypt it” for today, quantum, post-quantum, whatever quantum-next-gen is… but how NOT GO GIVE IT AWAY to ANYONE who will INVARIABLY lose it to the blackhats.
DO NOT TRUST because those you trust today are not those who will hack your data tomorrow.
Next up – submit (there’s that word again) your government ID (what’s that) to random elements to GET WHAT EXACTLY? The rights you already have.
Stand up for yourself, girl.
Re: The need for ID and revokability
For give my neive post….
I acknowledge your concerns about which sites should be able to require a governement ID and the slippery slope.
However, the need for ID verification beyond a Google or Facebook sign in remains. Even in the land of freedom (the USA) a drivers license (or some such ID is required to open a bank account, credit card, etc.
As you say, the hack by black hats is invevitable, and ID documents will end up on the dark web. It seems to me that we have a trade off…. The revokability of a digital ID verified by a third party provider that does not hold the original physical document (As in the AGIDS – Australian Government Digital Identification System) versus the privacy and vulnerability of a widely used physical ID. The AGDIS has many of the modern cryptographic features you alluded to, only lacking the post-quantum cryptography. For a revokable ID, it does not need to quantum cryptography yet, unlike stored secrets…. What alternative do you propose to deal with the large number of driver license numbers on the web? Changing everyone’s drivers license numbers every year? I respond without bile and acknowledge your privacy concerns, only raising a real world issue that will need to be dealt with at some time. I am sure there are people out there with better insights into these issues…
Re: Re: Experian?
Just curious… should Experian be on the list of organisations that have access to your drivers license?
https://www.twingate.com/blog/tips/experian-data-breach
Re: Re: Re: ID documents need to be used to be useful
Reflecting…
ID documents need to be used to be useful.
We can debate exactly which sites should have the ability to request ID, but some do…
As has been pointed out, the sites will enevitably be hacked and the ID put on the dark web.
So arguing social media cannot request ID because it will be hacked is misleading, because any effort to solve the problem of secure ID will apply to both essential sites and privacy invading sites.
This argument is different from the ‘nerd harder’ argument over end to end encryption, because there is no need for a backdoor or weakness in order for end to end encryption to work properly… to the contrary… any back door defeats the purpose of end to end cryptography.
Re: Re: Re:2 Hashes in the post quantum cryptography era
Hashes are still relevant in the post quantum cryptography era:
https://media.defense.gov/2021/Aug/04/2002821837/-1/-1/1/Quantum_FAQs_20210804.PDF
What is the progress of research on quantum-resistant hash functions in terminal security?
https://www.tencentcloud.com/techpedia/123070
The problem of storing a drivers license using a one way cryptographic function is analogous to the problem of cached credentials for a window login, with all the drivers license fields being concatenated into single ‘password’ before hashing.
There is a Microsoft Windows roadmap for post quantum cryptography…..
The privacy issues remain even if the technical issues are solved…
Re: Re: Re:3 One way TODAY is not one way FOREVER.
Quantum and post-quantum have no meaning except as steps in a long staircase. It’s like “nextgen” something. All good until it’s obsolete.
One-way functions are not one-way functions. They seem to be that way because that’s how Ron, Adi, and Len (sorry, Ken, off by one letter) developed modern day public key cryptography.
There is no mathematical proof that there exists a true one-way algorithm. Argue all you want, post PDF links all you want, but that’s the reality of it. This means potentially one day some number of one-way algs will be reversed.
And on that day all previously hertofore thought unbreakable encryption will be nothing more than an obsolete formula. Your CVV2 will mean nothing, much as CVV (now called CVV1) means nothing, much as entering it at a POS terminal means nothing so now we just let NFC handle it.
And on that day HTTPS and SMTPS and SSL and LUKS and FDE and everything that relies on this “assumption” of one-way encoding not allowing decoding will fail.
There’s an old joke about how Sicillians keep a secret. There’s true encryption for you.
Also feel free to suggest anyone who disagrees with your some PDFs is an idiot. Many idiots have displaced many academicians. This too will happen.
Encryption is dead. We just don’t know it yet.