Earlier this month, Discord reported that hackers gained access to one of its third-party customer service and support providers. They allegedly stole at least 70,000 images of government-issued IDs which were used for age verification.

According to Discord, other stolen sensitive information included:

• Names, and Discord user handles

• Email addresses, and contact details provided by user for support

• Billing and payment metadata, including payment methods, purchasing history, and credit card info (last four digits)

• Conversation transcripts and messages with support agents (i.e. what users communicated to support team representatives)

• “Limited corporate data” such as training materials or internal presentations stored

• IP addresses associated with support interactions

  That’s a ton of personal data. It also says the following types of sensitive information were not accessed:

• Full credit card numbers and security codes (CCV)

• Messages or activity on Discord beyond what users may have discussed with customer support

• Passwords or authentication data

All of it may have been impacted by the breach, according to Discord.

This is just another example of why organizations and digital workers should keep a watchful, mindful eye for security awareness. When it comes data privacy concerns, we all exist in a vast interconnected digital network. And as digital and remote workers we should all be our own security experts— on a personal level.

But that’s not it. There’s more.

As you might have guessed, the motivation for the attacks appears to be entirely financial. The hackers’ initial $5 million ransom moved to a later demand of $3.5 million. An official Discord spokesperson says the company “will not reward those responsible for their illegal actions.” However, there are conflicting reports over the scope of the attack and who is at fault. Discord claims that the attackers are circulating false information about an adjacent customer service provider to justify attempts to extort large sums of money.

The cybercrime group called Scattered LAPSUS$ Hunters is claiming credit for the attack, saying that it took 1.5 terabytes of data from over 5 million users, including over 2.1 million government ID photos. Despite allegations, on October 14, the maligned third-party customer support vendor (known as 5CA) denied any handling of government-issued IDs on behalf of Discord, or that its system was hacked. They simultaneously admitted the incident potentially resulted from human error.

Let that sink in…

A spokesperson for Discord confirmed, “All affected users globally have been contacted and we continue to work closely with law enforcement, data protection authorities, and external security experts. We’ve secured the affected systems and ended work with the compromised vendor. We take our responsibility to protect your personal data seriously and understand the concern this may cause.”

It turns out the company was being extorted over a breach of its Zendesk instance by the cybercrime group—claiming to have “1.5TB of age verification related photos...” translating to approximately “2,185,151 photos.”

That’s powerful. It’s also extremely problematic.

Discord is already in the process of contacting victims and has already notified “relevant” data protection authorities. The company is also reviewing their current security controls that govern third-party support providers. In a statement, third-party company (5CA) had its access to Discord’s ticketing system revoked and says the hackers never directly accessed Discord systems.

How to protect yourself

So, what do you do in this situation? The customers are painfully caught in the middle. Both sides pointing to the other.

Meanwhile, the data is… well, somewhere.

Cybercriminals typically target personal data because it commands a high price on the black market. The data is used in various kinds of scams. This Discord breach is yet another reminder that we are routinely forced to hand over sensitive data with very little visibility into storage procedures and protections. How our data is secured, shared, or stored over time is a key point of consideration. While you can’t claw back data that’s already leaked, you can take steps to control of which parts you share.

How to protect yourself from future exposure:

• Audit and keep track of where your sensitive data lives: If you have to share your sensitive data, read the privacy policy. If you no longer use the account, see if there’s an option to delete your data—then go and do it!

Pro tip: If unsure, or TLDR, you might use your favorite GPT for basic vetting. Ask it if there’s anything preventing full or optimal protections and controls, or ask it about specific privacy concerns. You can find out in seconds.

• Use services that only require non-invasive data: Let’s be honest. This is becoming much more difficult. (Especially when data is pretty much a cottage industry unto itself.) But, like the man said—data that is never collected cannot be leaked. If you need to use a service, look for ones with clear, transparent guidelines. Take it upon yourself to know which data points it collects, for what purpose will it be stored, and for how long.

• Keep online data sharing to a minimum: Don’t share any unnecessary information. Consider the use of email aliases whenever possible.

What about age verification?

The need to protect children from online harm and vulnerabilities is all too real. Recently established guidelines and rules have lit a fire beneath governments across the globe.

Governments from the European Union, to Canada, and Australia, are moving to moving the needle by follow the UK’s newly-enforced age verification laws

But, keep in mind that one cannot assume any age sensitive verification data would be immune from leaks. This event, among others is proof. It means that organizations have a financial incentive to deploy genuinely secure, decentralized solutions (like an open standard) prior to rolling out any age verification process. An open standard is one such example of secure systems developed with privacy in mind.

The benefit of an open standard is a set of rules that dictate interoperability, and sustainable long term development. (Think of standards such as mobile G4 and G5, SQL, XML, Ethernet, USB, OAuth, Bluetooth, WiFi, and others.) It’s a foundation built on systems that are not bound by proprietary closed systems. The concept applies to anything that is openly accessible to everyone, so that they can adopt or modify a thing without restrictions. It’s truly a model of cooperation, as opposed to narrow exclusionary practices. It’s a means for growth.

To that end, various methods of verification, including face scanning is being tested. As policy makers search for more concrete methods to verify underage users the regulatory landscape is widening. Organizations could lose a courtroom battle or incur fines if they don’t get age checks right. Firms outside of compliance with the Online Safety Act could be fined up to 10% of their global turnover.

For example, Instagram previously rolled facial analysis back in 2022 for users wanting to change their profile information to over age 18. The social media company requires users to take a selfie video on their phone and uses AI to estimate the person’s age. As within Discord, users can alternatively upload a picture of their photo ID. Which brings us full circle to today’s issue. Try, fail, try, try again... Fail forward? As evidenced by this recent breach, these types of checks are ineffective and could lead to privacy issues.

My Take?

Stay mindful of the risks when joining a service. As your own personal security advocate, do your own research and keep tabs on your digital footprint wherever possible. Millions of users were affected in this incident and it’s unclear what actions Discord intends to take in the long term. If you, or someone you know had occasion to open a support ticket on the Discord platform swap out your credit card and take special precautions immediately.

Chat soon,

~ CH

If you like this and other posts consider subscribing. If you know someone you think might be interested, tell them about it.

We like hearing from you!