Open Menu
AllLocalCommunitiesAbout
lotide
AllLocalCommunitiesAbout
Login

The Discord Breach Might Be Worse Than We Thought, As The Hacker Is Said To Have Two Million Age Verification Photos

⁨798⁩ ⁨likes⁩

Submitted ⁨⁨3⁩ ⁨weeks⁩ ago⁩ by ⁨return2ozma@lemmy.world⁩ to ⁨technology@lemmy.world⁩

https://www.thegamer.com/discord-data-breach-2-million-photos-1-5tb-age-verification-zendesk/

source

Comments

Sort:hotnewtop
  • Darkcoffee@sh.itjust.works ⁨3⁩ ⁨weeks⁩ ago

    Anyone still defending age verification online is an idiot.

    source
    • CosmoNova@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

      I don‘t think I‘ve ever seen someone defend it online but there were a few people laughing it off which is not much better.

      source
  • HexesofVexes@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    So, I looked at age verification - it was made clear photos were on device only and never transmitted.

    If this turns out to be false, then the legal fallout would be apocalyptic.

    source
    • AmbitiousProcess@piefed.social ⁨2⁩ ⁨weeks⁩ ago

      These were photos submitted via the compromised support provider (Zendesk) via the Discord support portal.

      Automated age verification via their partner (k-ID, which has its own issues) is a separate system, which was only available to some users. Other users had to contact Discord support manually and submit photo ID, which went through Zendesk, which was then compromised in this breach.

      https://support.discord.com/hc/en-us/articles/360041820932-Help-I-m-old-enough-to-use-Discord-in-my-country-but-I-got-locked-out

      Additionally, for the automated process, it’s the video selfie that’s on-device and never transmitted, but photos of your ID and selfie photo are transmitted, just supposedly deleted afterwards. Those ones are *not included in this breach, as far as we’re aware, as it’s an entirely different third-party with wholly separate infrastructure.

      source
      • NuXCOM_90Percent@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago

        Which is why you farm off stuff like this to third parties whenever possible

        DiscordCorp will get a slap on the wrist and give people an offer of a free six months of discord turbo (so long as you provide payment info so it can auto-renew on month seven).

        But ANY meaningful consequences will go toward Zendesk Corp for not doing what they were supposed to. And… then everyone will just use ZZendesk instead

        source
        • -> View More Comments
      • HexesofVexes@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

        Neat summary and cleanup - editing original post to point at this.

        source
    • lemmyout@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago

      What legal fallout? Discord made users agree to new terms just a week ago that involves forced arbitration.

      source
      • Azzu@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago

        Forced arbitration clauses are not legal in many European jurisdictions, so “agreeing” to them didn’t actually do anything.

        source
        • -> View More Comments
      • ms_lane@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

        Sounds like Discord is about to have 2 million cases of arbitration to sort out.

        One person takes them to arbitration, it’s short work for their legal team, if 1000 do it’s harder, if 100,000 do, you still have to respond in a timely manner. The costs would be astronomical.

        Valve and a few others removed it for that reason, it’s a bomb waiting to blow.

        source
      • Holytimes@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago

        Forced arbitration tends to backfire massively when you have something of this scale because of everyone starts doing it. The cost of that forced arbitration is more than what the lawsuits would have been without it. It’s a big reason why like steam got rid of it. If you get too many people trying to go after you, it’s just not worth it and costs too much.

        source
        • -> View More Comments
      • REDACTED@infosec.pub ⁨2⁩ ⁨weeks⁩ ago

        I’m not sure if Discord’s ToS apply to zendesk

        source
    • Assassassin@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago

      Here’s the information directly from the FAQ as of right now:

      Q: Is my data stored when I use Face Scan or Scan ID verification?

      A: Discord and k-ID do not permanently store personal identity documents or your video selfies. The image of your identity document and the ID face match selfie are deleted directly after your age group is confirmed, and the video selfie used for facial age estimation never leaves your device.

      source
      • LyD@lemmy.ca ⁨2⁩ ⁨weeks⁩ ago

        That sounds like the video stays on your device but the photos do not.

        source
      • oplkill@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

        Big company lies again what a big surprise

        source
      • Ganbat@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago

        Yeah, but those methods of verification weren’t the subject of this breach, this was some manual bullshit done through Zendesk.

        source
    • floofloof@lemmy.ca ⁨2⁩ ⁨weeks⁩ ago

      Where is that small print? It should be archived before Discord tries to change it.

      source
      • HexesofVexes@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

        …discord.com/…/30326565624343-How-to-Complete-Age…

        Check down on data security ;)

        source
        • -> View More Comments
    • renegadespork@lemmy.jelliefrontier.net ⁨2⁩ ⁨weeks⁩ ago

      Idk it doesn’t seem like there are any legal consequences for tech companies anymore.

      source
      • ipkpjersi@lemmy.ml ⁨2⁩ ⁨weeks⁩ ago

        Definitely not, laws are only for the poors.

        source
    • mr_pip@discuss.tchncs.de ⁨2⁩ ⁨weeks⁩ ago

      you agree to legal mediation other than a court in their terms of service, so… not really

      source
      • explodicle@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago

        Those don’t always hold up, especially when the shit is really hitting the fan.

        source
        • -> View More Comments
  • plz1@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    The fact that these photos and PII (personally identifiable information) were not destroyed after the verification process was certified is absolutely atrocious OpSec. I don’t even care which of the two companies is ultimately responsible, because they are both responsible.

    1. Zendesk for their bad OpSec
    2. Discord for both outsourcing this AND not having contractual requirements to properly secure and destroy PII when it was no longer required.

    I work in IT, and treat PII like it’s dangerously radioactive, because in the digital world, it really is.

    source
    • TomArrr@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

      “Apparently” only those who were challenging the verification results and uploaded awaiting reverification are affected.

      Not that that isn’t bad enough

      source
      • Kissaki@feddit.org ⁨2⁩ ⁨weeks⁩ ago

        That’s even worse, in my eyes. Maybe not in scale, but when appeal process is more vulnerable, that seems very questionable.

        source
        • -> View More Comments
    • prole@lemmy.blahaj.zone ⁨2⁩ ⁨weeks⁩ ago

      That’s because you have ethics

      source
    • luciferofastora@feddit.org ⁨2⁩ ⁨weeks⁩ ago

      Me when I get a request for PII pertaining to a suspected corruption case: Have one of our corporate lawyers give me a written and explicit statement of what data I’m supposed to send to whom or get bent. I’m not touching that with a ten foot pole and gloves unless I have a legally solid affirmation that what I’m doing won’t come back to bite me, and that our workers’ council knows about it and will back me up.

      I’m reluctant to even confirm that I can get that information in the first place. I mean, I’m the one with full access to the audit tool, so I probably do, but I’d have to access that data in the first place to check. I don’t think that anyone would notice or care so long as I don’t share that information, but as you said: dangerously radioactive; don’t touch if I can help it.

      source
    • Zen_Shinobi@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

      Right. It blows me away the required training we have to do for physical files more secured than Fort Knox! Tech world? Eh just throw it in the recycle bin

      source
    • aidan@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

      I agree completely its moronic, but I do imagine the law requires it

      source
  • kylian0087@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago

    Proofs the UK is a shithole as well funnily enough.

    Nothing against the Brits but their government oh damn that’s bad.

    source
    • Blackmist@feddit.uk ⁨2⁩ ⁨weeks⁩ ago

      Wait til you see the next one.

      :(

      source
      • Fraction9170@infosec.pub ⁨2⁩ ⁨weeks⁩ ago

        Yep. This is just the first. As long as individuals submit to these ID verifications, services which provide them will be highly targeted. I find it ridiculous that 1.5 million people actually submitted their info to access discord instead of finding a workaround or alternative. I can only imagine how many are gullible enough to verify on porn sites.

        source
        • -> View More Comments
      • Reginald_T_Biter@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

        We’ll be reminiscing about good old boring Starmer once Lord Godshite inevitably gets voted in by a load of gammons

        source
    • TankovayaDiviziya@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

      The Labour under Starmer is closet Tory. I wish that the popular Manchester Labour mayor (whose name I forgot) takes his place as PM, which actual leftist politicians try to make him to be. Although this will be a Sysiphean task under the ruthless politicking in British politics and Labour Party’s own strict rule on who could become PM.

      source
      • this_is_phil@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago

        Andy Burnham!

        source
  • chatokun@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago

    Hmm, I don’t recall ever doing age verification for Discord. Were older accounts grandfather’d in, or is it currently limited by region or something?

    source
    • SoftestSapphic@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

      I think it’s a UK thing

      They have been passing legislation to basically dox their citizens for them to gain access to the internet

      source
      • REDACTED@infosec.pub ⁨2⁩ ⁨weeks⁩ ago

        The Russia thanks UK for this valuable information

        source
        • -> View More Comments
      • themachinestops@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago

        It was obvious things like this will happen, unlike banks and government sites social media sites don’t have strict cyber security requirements and they want these sites to have a government ID. It was a bad idea from the start.

        source
      • TomArrr@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

        Also currently being rolled out in Australia too 😔

        source
    • newcool1230@lemmy.ml ⁨2⁩ ⁨weeks⁩ ago

      I believe people from EU and people who say they were under 13 and got reported. They needed to send in a pic of them holding their ID.

      source
      • schnokobaer@feddit.org ⁨2⁩ ⁨weeks⁩ ago

        From EU, got nothing

        source
        • -> View More Comments
      • aeternum@lemmy.blahaj.zone ⁨2⁩ ⁨weeks⁩ ago

        damn. I’m a 2 month old infant. Will i need to send in my ID??

        source
        • -> View More Comments
      • SaharaMaleikuhm@feddit.org ⁨2⁩ ⁨weeks⁩ ago

        Am from EU. Two accounts, but no ID confirmation required for either.

        source
      • seraphine@lemmy.blahaj.zone ⁨2⁩ ⁨weeks⁩ ago

        as some pointed out, eu folks didnt have to verify anything. afaik, its the uk folks that are affected

        source
    • Holytimes@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago

      Any time your account gets locked for age reason it requires it. So if you have never had an age lock it’s unlikely you had to do it.

      It’s as easy as someone reporting you for being underage with no proof or even just saying “I’m 14 and what is this” as a meme to get locked tho.

      Hell the auto flag system can hit you if you just talk like a kid sometimes.

      source
    • Electricd@lemmybefree.net ⁨2⁩ ⁨weeks⁩ ago

      You often get age verification if your account got blocked because someone reported you to be underage

      source
  • Octagon9561@lemmy.ml ⁨2⁩ ⁨weeks⁩ ago

    And this is why this provide xyz private information for verification bs should be illegal

    source
    • ILikeBoobies@lemmy.ca ⁨2⁩ ⁨weeks⁩ ago

      And why any service asking it should be moved on from.

      Pretty sure these people could have found a teamspeak, matrix, or mumble server without the requirement.

      source
      • Garbagio@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago
        [deleted]
        source
        • -> View More Comments
    • frezik@lemmy.blahaj.zone ⁨2⁩ ⁨weeks⁩ ago

      In this case, it’s the opposite for people in the UK. It’s illegal to not verify age.

      source
  • PissingIntoTheWind@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    Thank god I never gave them an image.

    source
  • TommySoda@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    Oh no it’s that thing everyone would say would happen!

    source
    • ms_lane@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

      Why shouldn’t I make the Torment Nexus!?

      source
  • supersquirrel@sopuli.xyz ⁨2⁩ ⁨weeks⁩ ago

    Fuck Discord

    source
    • theherk@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

      I agree, but fuck this dumb law first and foremost.

      source
    • seraphine@lemmy.blahaj.zone ⁨2⁩ ⁨weeks⁩ ago

      discord isn’t at fault here. I don’t say they do bad stuff, i just want to stick to the facts. It’s the UK government who forced them in the first place

      source
      • viking@infosec.pub ⁨2⁩ ⁨weeks⁩ ago

        They enforced the verification, but discord was supposed to delete the images right after.

        source
      • socialsecurity@piefed.social ⁨2⁩ ⁨weeks⁩ ago

        Are you really defending somebody else’s income generating business?

        Discord is a threat actor

        source
        • -> View More Comments
  • cupcakezealot@piefed.blahaj.zone ⁨2⁩ ⁨weeks⁩ ago

    congrats everyone on your two free months of credit monitoring

    source
  • TankovayaDiviziya@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    Politicians: That’s the point.

    Joking aside, now that I think about it, what difference does does it make if companies are stealing infos and spying on you with government mandated age verification checks, and hackers stealing your government mandated age verification info? This just reinforces my view that governments (and companies) are nothing but glorified gangsters.

    source
    • dogs0n@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago

      A hacker stealing your id can do way more malicious stuff like more expertly crafted phishing and identity fraud just to name two.

      No one involved in this from the government to the companies is innocent in this chain though in my opinion. A breach is always bound to happen.

      source
      • LifeInMultipleChoice@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

        To me giving a company or government permission to create the databases allowed for mass facial recognition is the same thing as giving the facial recognition data to criminals. It will be leaked/hacked/sold, etc. It is only a matter of time.

        How many Social security numbers in the U.S. have been leaked/hacked/sold/illegally transferred? ~340 million.

        Facial recognition will be a near useless tool for security in 10 years, and 100% for population monitoring at the rate we are going.

        source
    • Brkdncr@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

      Option 3: companies that you pay to provide authentication service. Regulated so that they clearly tell you if they are subsidizing service outside of your payments.

      We nearly already do this with certificate services and they would probably be in a good position to offer an id service.

      source
      • gian@lemmy.grys.it ⁨2⁩ ⁨weeks⁩ ago

        Option 3: companies that you pay to provide authentication service. Regulated so that they clearly tell you if they are subsidizing service outside of your payments.

        Then you just need to hack this company instead of Discord, you only change target.

        source
  • avidamoeba@lemmy.ca ⁨2⁩ ⁨weeks⁩ ago

    To the surprise of no one here. This is the first thing I think of when a system wants me to upload an ID.

    source
  • aliser@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    so instead of creating some kind of authorization system that would not require sending your private information to everyone the govt did nothing and instead put that responsibility on EVERY company. begs the question why rushing so much?

    source
    • spicehoarder@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago

      The department of Social security could have created some sort of public/private key pair to very age and DOB. But that’s too much to ask for isn’t it?

      source
      • KelvarCherry@lemmy.blahaj.zone ⁨2⁩ ⁨weeks⁩ ago

        Have you seen the USA? UK? Russia? China? I really don’t want the government making any system to tie internet to any identity. I really don’t want any government having any role in the internet.

        source
    • gian@lemmy.grys.it ⁨2⁩ ⁨weeks⁩ ago

      so instead of creating some kind of authorization system that would not require sending your private information to everyone the govt did nothing and instead put that responsibility on EVERY company. begs the question why rushing so much?

      I would suppose that this is because there is not a single way valid for every govt. For example, in Italy we have SPID, which is different from what Germany, France and every EU state have.
      If Discord wanted to use it, they had to implement a numbers of way to do it, which can be not that easy.

      source
  • MyNameIsIgglePiggle@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago

    More than half of them turn out to be AI

    source
    • prole@lemmy.blahaj.zone ⁨2⁩ ⁨weeks⁩ ago

      They’re all screenshots from Detroit: Become Human

      source
  • frenchfryenjoyer@lemmings.world ⁨2⁩ ⁨weeks⁩ ago

    A certain subset of people: “B-but at least it stops kids seeing photos of dental decay!!!1111”

    source
    • meliaesc@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

      …what?

      source
      • frenchfryenjoyer@lemmings.world ⁨2⁩ ⁨weeks⁩ ago

        my friend who also lives in the uk was unable to view a Reddit post that had a picture of dental decay because it was marked as nsfw and Reddit requires you to verify age using ID/selfie to be in compliance with the uk’s Online Safety Act to see anything marked as nsfw.

        my comment was a play on the people who think this is all worth it because it might prevent kids from seeing porn

        source
        • -> View More Comments
  • Mwa@thelemmy.club ⁨2⁩ ⁨weeks⁩ ago

    this is why i dont give my ID to any service(obv including Discord) anymore.

    source
    • frezik@lemmy.blahaj.zone ⁨2⁩ ⁨weeks⁩ ago

      The issue here is that age verification is mandatory in the UK, and not just for Discord.

      source
      • Mwa@thelemmy.club ⁨2⁩ ⁨weeks⁩ ago

        yeah thats bad.

        source
  • TheObviousSolution@lemmy.ca ⁨2⁩ ⁨weeks⁩ ago

    I’ve criticized the sort of personal information that is allowed to be managed by banking entities in the cases of Accidental Americans, where people who have nothing to do with America except that they were born in the US have their data handled by private entities to be passed onto governments they’ve never been in. Public entities that should handle and be responsible for it in their actual home countries want to wash their hands off from them and there’s too much money against too small of a minority for anyone to care about their rights. It doesn’t matter how banks have consistently proven that they or their staff can act criminally, either.

    At least here, it affects a lot more people so it will likely bring in the change and reform it needs, even if the sensitivity of this data is significantly less.

    Gonna have to say, this guy is definitely gonna be screwed by this:

    Image

    source
    • prole@lemmy.blahaj.zone ⁨2⁩ ⁨weeks⁩ ago

      Keep on keeping on 👍

      source
  • CannonFodder@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    So they have 2 million ai generated or free stock photos of faces?

    source
  • nutsack@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago

    the only person who’s allowed to verify my age is my cat because he won’t stop being a dick about it

    source
  • bhamlin@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    That’s why I used a picture of my anus for my age verification photo. The wrinkles are what sold it, I think.

    source
  • adespoton@lemmy.ca ⁨3⁩ ⁨weeks⁩ ago

    Who exactly was required to submit age verification photos? Just US citizens?

    source
  • AnarchistArtificer@slrpnk.net ⁨2⁩ ⁨weeks⁩ ago

    Quelle surprise

    source
  • LustyArgonianMana@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    Just roll all the class actions into a UBI fund for the people

    source
  • panda_abyss@lemmy.ca ⁨2⁩ ⁨weeks⁩ ago

    Well, now I feel better about using a throwaway email when I made my account.

    source
  • WorldsDumbestMan@lemmy.today ⁨2⁩ ⁨weeks⁩ ago

    Including mine. Nice job Discord! Thanks for the fake age ban…this was their plan, wasn’t it?

    source
  • peoplebeproblems@midwest.social ⁨2⁩ ⁨weeks⁩ ago

    Age verification photos?

    source
  • ohshit604@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago

    So glad I ditched discord the second they considered going public, converting people to Matrix sucks because Element is terrible for group calls.

    source
  • edgarzen@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago

    Don’t ever use Tencent apps

    source