In a development that will come as no surprise to critics of age-verification legislation, Discord has just put a figure on its recent security breach in terms of the number of government photo IDs that have been compromised. And that figure is 70,000.
In a statement to The Verge, Discord clarified that its own security was not breached. Instead, it was a third-party supplier of customer support that was compromised.
More specifically, it was government photo ID used to review age-related appeals that was stolen. "This was not a breach of Discord, but rather a third-party service we use to support our customer service efforts. Second, the numbers being shared are incorrect and part of an attempt to extort a payment from Discord. Of the accounts impacted globally, we have identified approximately 70,000 users that may have had government-ID photos exposed, which our vendor used to review age-related appeals. Third, we will not reward those responsible for their illegal actions," Discord said.
In recent months, businesses have been pushed to adopt government mandated verification measures, such as those outlined in the UK's Online Safety Act. The fact that photo IDs were leaked will be viewed as proof of the fundamentally misguided basis of most age-verification measures. However, as our own Jacob R recently pointed out, it doesn't have to be this way.
Firing over actual copies of your photo ID to all and sundry, including all manner of websites, messaging apps and gaming platforms is asking for trouble, even if those platforms ostensibly promise not to keep copies. A much better alternative would be age verification where you don't actually share personal data.
One such solution is known as Zero Knowledge Proofs (ZKP). It's a cryptographic technique for proving something is true or false without revealing any information. Jacob says ZKP has been used on blockchains and even debated as a tool for nuclear disarmament talks, "but in this context, they act as a guarantee that a user is over a certain age without providing any identifying information on said user."
Anyway, the Discord breach, or at least the breach suffered by its third-party service provider, also included further data including names, usernames, emails, the last four digits of credit cards, and IP addresses. So, it's a pretty comprehensive mess.
While Discord isn't directly responsible for the breach, it does get to choose if it hands over responsibility for such sensitive work to third parties for some tasks and who those third parties are.
In response, Discord has said, "all affected users globally have been contacted and we continue to work closely with law enforcement, data protection authorities, and external security experts. We’ve secured the affected systems and ended work with the compromised vendor. We take our responsibility to protect your personal data seriously and understand the concern this may cause."
But that won't be much comfort to anyone who has had their government ID, name, username, email, the last four digits of their credit card, and their IP address stolen by bad actors. Here's hoping ZKP or something very much like it becomes the norm sooner rather than later.
