Best Of

DonnerKebab wrote: »

Amy22 wrote: »

DonnerKebab wrote: »

Update: I was right about point 4 of my post.

There’s been a significant data breach involving discord, where users photo ID’s were stolen. It affected those who uploaded their photo ID's to discords customer service, which was being outsourced to a third party (as I predicted above would happen) to appeal their age estimation rulings from photo's taken. Around 70,000 discord users are believed to have been affected by this data breach and had their photo ID’s exposed [1][8].

And what makes this an extraordinarily serious data breach is that there is no fix for this type of leak. You can change a password if a password gets leaked, you can regain access to a user account that's been hacked, but you cannot change the fact that your photo ID is out there on the dark web once exposed. It is considered biometric data under GDPR, which is considered "special category", due to the seriousness of losing it, as it cannot be changed [2].

That info, once leaked, can then be used for identity theft, to bypass security measures on various accounts owned by victims, such as their bank accounts, government accounts, and personal accounts, and it can also be used to open new accounts in the victims name, at any stage, for life. Biometric data doesn't change. That is how serious it is. It's not a short term issue [2][3][4]. It's a lifetime on a fraud alert registers, constantly watching for fraud at any point. [4]

What makes it worse is that the only reason that the photo ID's were even being collected in the first place is because of the Online Safety Act. It forced platforms to collect this sort of data from users, when photo based age predictor systems didn't work, and photo ID was required to be used instead to verify. The OSA's supposed "safeguards" have just exposed users to the possibility of life long fraud risk [5][6][7].

I mentioned in the original post that digital ID systems have been proven to be vulnerable by ethical hackers at times. I once again reiterate, that this remains a serious risk and flaw of the OSA that doesn't seem to be getting any attention.

References

[1] Tom’s Guide – Discord users suffer the first high-profile age verification hack, and it’s unlikely to be the last – https://www.tomsguide.com/computing/online-security/discord-users-suffers-the-first-high-profile-age-verification-hack-and-its-unlikely-to-be-the-last

[2] ICO – What is special category data? – https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/special-category-data/

[3] ICO – Biometric Data Guidance: Demonstrating compliance – https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/biometric-data-guidance-biometric-recognition/how-do-we-demonstrate-our-compliance-with-our-data-protection-obligations/

[4] Mexico Business News – The Permanent Price of Losing Your Biometric Identity – https://mexicobusiness.news/cybersecurity/news/permanent-price-losing-your-biometric-identity

[5] NCSC – Understanding Biometrics - https://www.ncsc.gov.uk/collection/biometrics/understanding-biometrics

[6] NCSC – Biometrics: General Principles – https://www.ncsc.gov.uk/collection/biometrics/general-principles

[7] SocRadar – Biometric Security Risks: Beyond Fingerprints and Facial Recognition – https://socradar.io/biometric-security-risks-beyond-fingerprints-and-facial-recognition/

[8] The Guardian – Hack of age verification firm exposes 70,000 Discord users’ ID photos – https://www.theguardian.com/media/2025/oct/09/hack-age-verification-firm-discord-users-id-photos

Omg I didn't know this actually happened recently and to think that a lot of discord users photo IDs are now floating out there exposed and possibly on the dark Web too sadly is quite a frightening thing to think. Also thank you for raising awareness of this because like me and possibly many others on here who may have a discord account will know the feeling of having to go through the photo ID process. Luckily I decided not to verify my ID because it didn't feel right to upload a picture of myself on there because God knows where that could be going.

@Amy22 it is genuinely scary, because 70,000 is no small number, and it could have happened to anybody's data. And the effects are lifelong. One of the things that's taught in cybersecurity is that there is no such thing as a 100% secure system. You can have an immensely secure system, protected against all known cyber security threats, but there's no absolute guarantees. New vulnerabilities are discovered all the time, encryption ciphers used in encryption algorithms are rendered obsolete from time to time too, human error exists. Only, thanks to the OSA, it's photo ID that's at risk now, which is special category data, rather than just standard personal data. As i said, the online safety act appears to be failing to make things safer.

independent_ wrote: »

We used Harvard all the time. Hated every second of it 🤣