Around 70,000 Discord users may have had images of their government IDs stolen, according to an update from the company. Last week, the popular chat platform notified users that the third-party vendor the platform uses for customer service was hacked, affecting Discord users who had interacted with the app’s customer support or trust and safety teams.
Discord initially announced last week that an unauthorized group gained access to a “small number” of government ID images. That includes images of sensitive documents like driver’s licenses, passports and potentially even selfies of people holding those documents – a common way to verify identity for online accounts.
On Wednesday, the company updated its blog post with the estimated number of users affected. While 70,000 users is a small sliver of the chat app’s 200 million monthly users, it’s still a large swath of people who now have very good reason to be worried about identity theft.
Beyond government ID images, the hackers may have gained access to Discord users’ names, usernames, emails and contact information, the last four digits of credit cards linked to accounts, IP addresses and messages with customer service agents. Discord emphasized that full credit card numbers and CCV codes were not compromised, nor were passwords or messages on Discord that weren’t with its third-party customer support provider.
“As soon as we became aware of this attack, we took immediate steps to address the situation,” Discord said in a newly updated blog post. “This included revoking the customer support provider’s access to our ticketing system, launching an internal investigation, engaging a leading computer forensics firm to support our investigation and remediation efforts, and engaging law enforcement.”
The hacking group stole the documents explicitly in an effort to “extort a financial ransom,” Discord disclosed in its blog post.
Age verification comes with its own risks
Discord emphasizes that this wasn’t a breach of its own systems and servers, but rather one that succeeded in compromising an external vendor the company uses. That distinction is important: Discord hosts a massive trove of chat logs and private conversations for its hundreds of millions of monthly active users.
This hack is still very bad news, particularly given the nature of the images that were stolen – the very images people rely on to establish the legitimacy of accounts around the web. Still, Discord users should know that server logs and private chats weren’t part of this hack. Discord says that it is in the process of contacting users affected by the ID document breach with an email from noreply@discord.com.
Discord did not name the vendor in its public statements, but signs and initial reports seem to point to Zendesk, which handles customer support for the platform. In a statement to Fast Company, Zendesk said that its investigation “indicates this incident did not arise from a vulnerability within Zendesk’s platform” and that its own systems “were not compromised.” Discord also uses the age verification provider k-ID for automated facial age estimation and identity document verification, though the company states that neither company permanently stores ID documents or the video selfies users upload to verify their age.
The hack is the latest example of the risks companies take on when they collect sensitive personal data from users. As age verification laws spread, companies like Discord are increasingly requiring users to upload their passports and driver’s licenses to prove that they are adults.
In July, Discord announced that it would make changes to comply with the UK’s newly in effect Online Safety Act. That law requires platforms to shield young people from pornography and content promoting self harm, eating disorders or suicide through the implementation of age gates. While the Online Safety Act and similar U.S. state-specific age verification laws may have noble goals, they have faced pushback from critics concerned over their efficacy, privacy implications and the broader risk of letting governments decide what people are allowed to see online.
