Earlier this year, Discord rolled out a new age-verification process in the United Kingdom, requiring some users to scan their government-issued identification. This initiative has unfortunately led to a significant security incident, with a new report indicating that millions of people who submitted their IDs may have had their personal information exposed.
Discord’s official statement confirmed that approximately 70,000 government-issued IDs were compromised following a hack targeting 5CA, a third-party service provider tasked with handling Discord’s age verification duties. The company assured users that beyond exchanges with customer support or trust and safety agents, no other Discord messages were breached.
However, a subsequent investigation by Cyber Security News paints a far graver picture, suggesting that the number of stolen government IDs could be as high as 2.1 million. The report estimates that the total number of affected individuals might be around 5.5 million unique users, stemming from 8.4 million support tickets.
Adding to the severity, hackers reportedly tried to extort Discord, claiming possession of 1.5 terabytes of stolen data. This cache potentially includes sensitive details such as usernames, email accounts, IP addresses, and the last four digits of credit card numbers. Discord has clarified that full credit card numbers and CCV codes were not exposed in the breach. The company is actively collaborating with law enforcement and is in the process of individually notifying all users impacted by the incident.
The possibility of leaked ID photographs was a major point of contention and a primary reason for public opposition to the UK’s age-verification requirement. It appears that 5CA was responsible for conducting manual reviews for users whose initial ID submissions were rejected or those appealing age-related suspensions.
This security lapse isn’t the only challenge Discord has faced recently. Earlier this year, Nintendo attempted to subpoena Discord to identify a user implicated in a massive Pokémon leak. Additionally, a Republican member of Congress has called for the CEOs of Discord, Steam, and Twitch to testify before Congress, raising concerns about alleged radicalization occurring on their platforms.