Over-retention of age verification data has predictable result in Discord breach
A third-party customer service provider for Discord has exposed the ID documents us has apparently been storing of people performing age verification on the site.
An unauthorized individual appears to have had access to user data including contact information, IP addresses, the last four digits of credit card numbers and support ticket messages. Most worrying though is the exposure of “a small number of government‑ID images (e.g., driver’s license, passport) from users who had appealed an age determination,” Discord says. “If your ID may have been accessed, that will be specified in the email you receive.”
Discord began running a trial, or “experiment,” with biometrics-based facial age estimation supplied by k-ID earlier this year. Age verification could also be performed with a government ID document, however.
Discord stated that it uses Veratad for ID document validation, and also that “For ID verification, the scan of your ID is deleted upon verification.”
The breach only impacts users who have shared information with Discord’s Customer Support or Trust & Safety teams, however, suggesting it was not an identity service provider that was compromised.
PC Gamer notes the connection to age assurance regulations in the UK and elsewhere, but neglects to note that the storage of ID documents is not mandated or recommended by any of these authorities.
The over-retention of data was even specifically called out in the final report on Australia’s Age Assurance Technology Trial, which was came out at the beginning of September.
PCMag notes the loosely-organized hacker group “Scattered Lapsus$ Hunters” has claimed responsibility for the attack.
Related Posts
-
April 9, 2025 -
September 8, 2025 -
January 14, 2025
-
October 17, 2024 -
June 20, 2025 -
January 29, 2025
Article Topics
age verification | data protection | Discord | identity document
Comments
One Reply to “Over-retention of age verification data has predictable result in Discord breach”
Leave a Reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
It is important to note that this breach affected the customer services database, rather than any third party age assurance provider (AAP). As we understand the situation, some of the records included cases where users were seeking to challenge an age assurance outcome, so had supplied evidence of their age directly to the platform, not to the AAP. The golden rule to prevent data breaches is simply not to store personal data in the first place, and that is how well designed third party AAPs operate – that rule would apply to data processes for the purpose of an appeal just as much as it does to the initial process.
There is an emerging question as to whether platforms themselves should be data controllers for the purposes of age assurance, or whether regulators – in particular data protection authorities – should insist the entire process, including any appeals – is conducted at arms length so personal data supplied for the purposes of age assurance is never accessible to the platform itself.