London: Popular messaging platform Discord revealed that hackers have stolen official ID photos belonging to around 70,000 users after breaching a third-party company responsible for age verification. The company clarified that Discord’s own systems were not compromised.
The stolen information may include personal data, partial credit card numbers, and messages exchanged with Discord’s customer support. However, Discord confirmed that no passwords, full credit card details, or other private messages and activities outside of support conversations were accessed. Following the breach, Discord revoked the third-party provider’s access and launched an investigation. The company said all affected users have been notified.
In its statement, Discord urged impacted users to remain cautious of suspicious messages or communications. “Looking ahead, we recommend impacted users stay alert when receiving messages or other communication that may seem suspicious,” the company advised.
Until recently, such a breach would have been unlikely, as companies previously had little reason to process or store proof of age. However, with more governments, including the UK, mandating age verification for online platforms hosting adult or unsuitable content, companies like Discord are now required to verify users’ ages, creating new data vulnerabilities.
Experts compare this process to age checks at physical stores when buying alcohol, except online, the process involves storing sensitive digital data, which increases the risk of exposure. Unlike a store that checks your ID without retaining a copy, online systems may inadvertently store thousands of ID images, creating an attractive target for hackers.
Discord explained that the age verification system itself was not compromised. The verification tool uses facial recognition software to estimate a user’s age from a live photo, which is then immediately deleted once the process concludes. The breach, however, affected the appeals process, managed by a separate unnamed third-party provider.
If a user believed they had been wrongly flagged as underage, they could submit a picture of their ID for manual review. These ID submissions were stored and later accessed by hackers. According to Discord, over 70,000 images were stolen, though the hackers claim a far higher number, more than 2.18 million photos. Discord has dismissed this claim, accusing the hackers of inflating numbers to demand ransom money.
The Discord breach adds to a growing list of global cyber incidents, including attacks on companies like Renault UK, Jaguar Land Rover, and even children’s nurseries such as Kido International.
Cybersecurity experts say that while digital IDs could help reduce the need to upload sensitive documents repeatedly, the most effective solution remains not collecting such data at all. “The best way to stop data being hacked is not to collect it in the first place,” the report concluded.
ALSO READ | Germany ends fast-track citizenship as migration views shift
