Discord disclosed on Wednesday that around 70,000 users may have had sensitive data exposed, including government ID photos, after hackers breached a third-party vendor. This vendor is used by the platform for handling age-related appeals.
A Discord user typically makes an age-related appeal if the platform suspects they may be underage or if they live in a region that requires identity verification for platform access. In such cases, users are instructed to send a selfie while holding their government ID and displaying their Discord username to the platform’s Trust and Safety team.
Discord stated it has contacted the affected users. The exposed data may also include IP addresses, which can reveal the general geographic area where a user lives.
According to reports, this data breach may be larger than Discord has currently reported. The hackers claim to have stolen 1.5 terabytes of data, which could encompass far more than 70,000 images. However, a Discord spokesperson has stated these claims are incorrect and are part of an attempt to extort a payment.
The breach of Discord users’ data highlights concerns that digital rights activists have long expressed regarding age verification systems and their role in making the internet safer. Age verification laws, which require users to upload sensitive information like the government IDs exposed in this breach, have been enacted in about half of U.S. states. These laws typically apply to websites that host pornography. In response, Pornhub, a popular adult video site, has blocked traffic from these states altogether to avoid enforcing such age checks.
Furthermore, the United Kingdom’s Online Safety Act, which went into effect in July, requires a broader range of platforms to verify users’ ages. This includes major services like YouTube, Spotify, Google, X, and Reddit.