70,000 Government Ids Were Exposed In A Discord Breach - Could Yours Be Next?

NurPhoto/Contributor/Getty

Follow ZDNET: Add america arsenic a preferred source on Google.

ZDNET's cardinal takeaways

• A third-party work for customer support was hit.
• About 70,000 users whitethorn person had authorities ID photos accessed.
• The incident highlights nan challenges of state-imposed property verification.

Discord has revealed nan theft of astir 70,000 government-issued ID photos successful a caller information breach. 

The level was targeted by cybercriminals who compromised 1 of Discord's third-party vendors. The vendor successful mobility provided customer support services, including age verification, which requires a photograph ID displaying nan user's day of commencement -- a system launched successful consequence to caller property verification laws imposed successful nan UK, which is being followed successful nan EU, Australia, and immoderate US states. 

Also: Hackers stole 1 cardinal records from Salesforce customer databases pinch this elemental instrumentality - don't autumn for it

The institution said nan cyberattack's wide purpose was to usage nan stolen information arsenic leverage to unafraid a "financial ransom."

In a security advisory, Discord was keen to stress that nan information breach didn't hap astatine Discord -- a messaging level celebrated pinch gamers that has amassed astir 200 cardinal users worldwide -- but alternatively done nan third-party. 

What was stolen?

Information provided by users to customer support whitethorn person included names, Discord usernames, email addresses, interaction details, constricted billing information, acquisition histories, messages betwixt users and customer work reps, and government-issued ID photos. 

Full in installments paper numbers, paper CCV codes, and authentication information (such arsenic passwords) were not progressive successful nan breach.

Who was impacted?

Discord has not revealed nan nonstop number of users embroiled successful nan information breach, beyond saying that nan government-issued photograph IDs of 70,000 users were exposed.

"This incident impacted a constricted number of users who had communicated pinch our Customer Support aliases Trust & Safety teams," Discord said. 

Also: AI is making cybercriminal workflows much businesslike too, OpenAI finds

In different words, we don't cognize conscionable really galore users are progressive worldwide. A group that has claimed work for nan breach said it stole accusation belonging to 5.5 cardinal unsocial users, according to Bleeping Computer, but Discord told nan publication "the numbers being shared are incorrect and portion of an effort to extort a costs from Discord."

How has Discord responded?

Once nan information incident came to light, Discord revoked nan customer support provider's entree to nan ticketing system, launched an investigation, hired a cyberforensics firm, and notified rule enforcement. 

Discord is "continuing to analyse this matter [and] moving intimately pinch rule enforcement." 

How tin I cognize if I americium involved?

Discord is successful nan process of notifying impacted users -- and successful particular, if your authorities ID photograph was leaked, this will beryllium mentioned successful nan email sent to victims. 

"Looking ahead, we urge impacted users enactment alert erstwhile receiving messages aliases different connection that whitethorn look suspicious," Discord added. "We person work agents connected manus to reply questions and supply further support. We return our work to protect your individual information earnestly and understand nan inconvenience and interest this whitethorn cause."

What should I do if I deliberation I americium progressive successful this breach?

Considering really caller this information incident is, we person yet to perceive whether aliases not victims will beryllium offered immoderate of nan accustomed -- a free twelvemonth of in installments monitoring, for example. 

If you're concerned astir imaginable ID theft aliases financial fraud, however, return nan pursuing steps.

• Check retired HaveIBeenPwned: You tin usage the HaveIBeenPwned website to spot what information breaches you whitethorn person been progressive in. Keep successful mind, however, that it tin return clip for caller breaches to look successful nan database.
• Sign up for a in installments monitoring agency: Even a free work tin alert you to immoderate unexpected changes connected your in installments file, specified arsenic personification fraudulently utilizing your accusation to return retired a loan. 
• Freeze your credit, costs cards: If you judge you whitethorn beryllium a unfortunate of financial fraud owed to unusual in installments monitoring alerts aliases unexpected transactions, interaction your financial services supplier instantly to rumor a impermanent freeze. You whitethorn besides beryllium capable to do this yourself via banking and financial apps.
• Consider your authorities ID: Depending connected your location and section laws, if Discord says your photograph ID has been exposed, you should see reaching retired to applicable authorities to make them alert of nan situation.
•  Watch for updates: Keep an oculus retired for immoderate connection from Discord pinch updates.

Age verification argumentation challenges

Discord is simply a victim, conscionable arsenic nan estimated 70,000 users who handed complete their photograph IDs.

Now, it's imaginable that those photos could beryllium utilized successful personality theft and financial fraud. They're retired there, and this intends that each unfortunate has to spell done nan process of uncovering out, perchance having to pass authorities, and perchance securing a replacement government-issued ID. 

Discord whitethorn telephone 70,000 a "small number of government‑ID images," but to each of those 70,000 individuals, it's not a mini matter. 

The request to taxable delicate accusation conscionable to entree a website, whether a messaging level aliases pornography, ever had nan imaginable to go a privateness disaster. The interest is that these policies don't amended nan information of children, but alternatively erode nan privacy, safety, and perchance financial information of an full population. 

Get nan biggest stories successful tech each Friday pinch ZDNET's Week successful Review newsletter.

(Let's not hide to mention that you tin use a VPN to bypass galore of these checks, anyway.)

To make matters worse, nan work of ensuring this accusation is kept safe and unafraid has been imposed connected organizations worldwide, pinch different information approaches and levels of maturity. The authorities that imposed nan rule doesn't person to woody pinch nan real-world consequences. 

So, what's nan answer? If you want to protect children and extremity them from accessing contented they shouldn't, device-level controls are, and proceed to be, nan champion approach. Trust parents capable to enforce nan correct levels of power astatine due ages, and, perhaps, supply much support and resources for parents who don't see themselves tech-savvy capable to grip nan task.

Discord whitethorn beryllium nan first important case, but it will apt not beryllium nan last.