Age-Verification Mandates Blamed for Discord Data Breach
The head of a tech association blamed age-verification mandates for a Discord data breach Sept. 20 that exposed the personal information and some government ID images of its users.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Discord said Friday that an unauthorized party gained access to one of its third-party customer service providers with the goal of extorting "a financial ransom from Discord.” Exposed data was related to its customer service system, including driver’s licenses or passport images from users “who had appealed an age determination,” it added. Users whose images were leaked will receive an email that specifically notes that, Discord said. No information was provided as to how many users’ images were leaked.
“This unfortunately is the exact kind of breach we’ve been concerned about with age verification mandates,” Morgan Reed, president of ACT | The App Association, said in an email to Privacy Daily.
“Hopefully it will make policymakers take pause and consider the serious security risks we’ve been raising,” he added. Reed noted Discord began conducting age verification in response to laws like the Online Safety Act in Australia and the UK, which necessitates the collection of sensitive personal information, such as government-issued identification.
Sanjaya Palinda, head of IT and data protection officer at KeolisAmey Docklands, a light railway operator in London, said the incident is a “powerful example of what happens when well-intentioned safety measures collide with weak data governance.”
“This is the kind of situation security professionals quietly fear -- a ‘worst-case scenario’ where the data collected to make users safer ends up putting them at greater risk,” he said in a LinkedIn article. “Age verification systems are well-intentioned: they’re designed to protect younger users and ensure compliance. But when those systems require full identity documents, they become high-value targets,” Palinda posted Monday.
“If that data isn’t encrypted, isolated, or subject to strict governance, one vendor misstep can unravel years of user trust -- and undo millions in brand value overnight,” Palinda added.
Other information accessed in the incident included contact details, some billing data, such as the last four digits of a credit card, IP addresses and messages with customer service agents. Discord said that no full credit card numbers, CCV codes, messages beyond customer support, passwords or authentication data were impacted.
In an email to affected users, Discord said, “As soon as we became aware of this incident, we followed our incident response procedures and took immediate steps to address the situation, including revoking the customer support provider’s third-party access to our ticketing system, launching an internal investigation, and engaging a leading forensics IT firm to support our investigation and remediation efforts.” The company added that it notified law enforcement.
The company didn't provide details about when it discovered the incident or informed law enforcement, nor how many people were impacted by the breach.
Reed said that “for smaller developers, breaches like this highlight a serious and growing problem: age-verification mandates are forcing companies to collect and store the most sensitive personal data, without guaranteeing that data can truly be kept safe.” He added that “developers are being put in the impossible position of safeguarding information they never needed to collect in the first place, often with fewer resources than the larger corporations these laws were designed to regulate.”
“Laws like this simply don’t work,” Reed added. “The age verification proposals that pose these significant security threats don’t actually help keep kids safe,” but instead “strip families of their privacy and leave developers to take the fall.”
With age verification, there’s “a classic clash between compliance, privacy, and practicality -- and it’s only going to intensify,” Palinda said. “As the Discord breach shows, security and safety are two sides of the same coin -- and one can’t succeed without the other.”
In July, a breach of the women-only dating app Tea resulted in the leak of 72,000 images, including 13,000 selfies with identifying information (see 2507280017). Several lawsuits followed that breach, which some privacy professionals from vendor HaystackID said expose gaps in data governance and data protection guardrails that may be present within the entire app ecosystem (see 2508080041).
“While it appears that the Discord breach was less expansive than the Tea App breach in terms of users’ full information being accessed, the data is still extremely sensitive,” like individuals’ usernames, email addresses and the last 4-digits of their credit cards, Reed said. But “in the case of individuals who were challenging an age determination by submitting photos of government-issued IDs,” Discord’s breach “was as damaging as the Tea App breach.”
He said ACT | The App Association “will continue to raise the serious security risks these proposals pose and work with policymakers to find a solution that actually keeps our kids safe online and doesn’t create additional cybersecurity threats.”