Earlier this year, Discord implemented a new age verification system in the United Kingdom, which mandated users to provide scans of their government-issued identification. This initiative has now led to a significant security incident, as a recent report suggests that personal details, including ID information, belonging to millions of users might have been compromised in a recent data breach.
Discord`s official statement confirmed a security breach involving 5CA, a third-party service provider that Discord had contracted for age verification tasks. The company indicated that government-issued IDs for approximately 70,000 users might have been exposed. Discord further clarified that the breach did not extend beyond communications with customer support or trust and safety agents, meaning general user messages were not affected.
However, a subsequent investigation by Cyber Security News presented a much larger scale of impact, estimating that 2.1 million government IDs were stolen. The report also suggested that the total number of affected individuals could be around 5.5 million unique users, associated with 8.4 million support tickets.
The investigation further revealed that the attackers attempted to extort Discord, claiming possession of 1.5 terabytes of stolen data. This data potentially includes usernames, email addresses, IP addresses, and the last four digits of credit card numbers. Discord has provided assurances that full credit card numbers and CVV codes were not part of the breach. The company is actively collaborating with law enforcement and is in the process of notifying all affected users via email.
There is also a risk that photographs of the affected users` IDs could be leaked, which was a primary concern and a point of significant public resistance when the UK`s verification requirement was initially introduced. It appears that 5CA was responsible for the manual review process for users whose IDs were initially rejected or for those appealing age-related account suspensions.
In unrelated but notable events, Nintendo previously sought a subpoena against Discord to identify a user responsible for a substantial Pokémon leak. Additionally, a Republican member of Congress has called for the CEOs of Discord, Steam, and Twitch to testify before Congress regarding allegations of radicalization occurring on their respective platforms.