Analysis

Video game chat platform Discord has suffered a data breach, informing users that their personal information – including identity documents of those required to prove their age – were compromised. The company stated last week that an unauthorised party had compromised one of Discord’s third-party customer service providers, leading to the access of “a limited number of users” who had been in contact with the customer service or trust and safety teams. The data compromised may have included usernames, email, billing information, the last four digits of credit card numbers, IP addresses and messages with customer support. Discord said the alleged attacker “also gained access to a small number of government ID images (eg driving licence, passport) from users who had appealed an age determination. Affected users were in the process of being notified as of last week. “If your ID may have been accessed, that will be specified in the email you receive,” Discord said. The support system was targeted to access user data with a view to extort a financial ransom from Discord, the company stated. Discord said it revoked the third-party provider’s access to its ticketing system and launched an internal investigation, including engaging with law enforcement. The attack appears to have occurred on 20 September, according to a user who received a notification. Discord has said it has over 200m active monthly users. Discord began using facial age assurance to check the age for users in the UK and Australia earlier this year. The company said facial images and ID images “are deleted directly after” ages are confirmed, but Discord’s website noted that if verification fails, users can contact the trust and safety team for a manual review. Under the under 16s social media ban to come into effect on 10 December, the Australian government has outlined that it expects platforms such as Discord – which is one of the platforms that has been asked to assess if it is required to comply – should have multiple options for assessing a user’s age, and a way for them to quickly appeal an adverse decision. Platforms can ask for ID documents as part of the age assurance scheme, but it cannot be the sole method of age assurance offered by the platforms under the policy. The Australian privacy commissioner confirmed it had been notified about the breach by Discord. Discord was approached for comment. Video game chat platform Discord suffered a data breach originating from a compromised third-party customer service provider, leading to the exposure of sensitive user data including usernames, email addresses, billing information, partial credit card numbers, and a small number of government ID images used for age verification appeals. The attacker reportedly sought a financial ransom, indicating a direct monetary motive behind the compromise of customer support systems. This incident, affecting a 'limited number of users', is significant given Discord's reported user base of over 200 million monthly active users and the highly sensitive nature of the compromised government identification documents. Discord has confirmed revoking the third-party provider's access, initiating an internal investigation, and engaging law enforcement, which are critical initial steps in breach response. The breach occurs amidst increasing regulatory scrutiny, particularly in Australia, where the privacy commissioner has been notified and new age verification mandates are set to take effect on December 10. These regulations require platforms to offer multiple age assurance options and securely manage sensitive ID data, heightening Discord's exposure to potential legal and compliance liabilities and potentially impacting its trust and user acquisition efforts.