Proofs the UK is a shithole as well funnily enough.
Nothing against the Brits but their government oh damn that’s bad.
The Discord Breach Might Be Worse Than We Thought, As The Hacker Is Said To Have Two Million Age Verification Photos
Submitted 14 hours ago by return2ozma@lemmy.world to technology@lemmy.world
https://www.thegamer.com/discord-data-breach-2-million-photos-1-5tb-age-verification-zendesk/
Comments
kylian0087@lemmy.dbzer0.com 57 minutes ago
Darkcoffee@sh.itjust.works 14 hours ago
Anyone still defending age verification online is an idiot.
CosmoNova@lemmy.world 14 hours ago
I don‘t think I‘ve ever seen someone defend it online but there were a few people laughing it off which is not much better.
Octagon9561@lemmy.ml 3 hours ago
And this is why this provide xyz private information for verification bs should be illegal
HexesofVexes@lemmy.world 14 hours ago
So, I looked at age verification - it was made clear photos were on device only and never transmitted.
If this turns out to be false, then the legal fallout would be apocalyptic.
mr_pip@discuss.tchncs.de 37 minutes ago
you agree to legal mediation other than a court in their terms of service, so… not really
AmbitiousProcess@piefed.social 13 hours ago
These were photos submitted via the compromised support provider (Zendesk) via the Discord support portal.
Automated age verification via their partner (k-ID, which has its own issues) is a separate system, which was only available to some users. Other users had to contact Discord support manually and submit photo ID, which went through Zendesk, which was then compromised in this breach.
Additionally, for the automated process, it’s the video selfie that’s on-device and never transmitted, but photos of your ID and selfie photo are transmitted, just supposedly deleted afterwards. Those ones are *not included in this breach, as far as we’re aware, as it’s an entirely different third-party with wholly separate infrastructure.
NuXCOM_90Percent@lemmy.zip 13 hours ago
Which is why you farm off stuff like this to third parties whenever possible
DiscordCorp will get a slap on the wrist and give people an offer of a free six months of discord turbo (so long as you provide payment info so it can auto-renew on month seven).
But ANY meaningful consequences will go toward Zendesk Corp for not doing what they were supposed to. And… then everyone will just use ZZendesk instead
HexesofVexes@lemmy.world 3 hours ago
Neat summary and cleanup - editing original post to point at this.
lemmyout@lemmy.zip 10 hours ago
What legal fallout? Discord made users agree to new terms just a week ago that involves forced arbitration.
Azzu@lemmy.dbzer0.com 3 hours ago
Forced arbitration clauses are not legal in many European jurisdictions, so “agreeing” to them didn’t actually do anything.
Holytimes@sh.itjust.works 2 hours ago
Forced arbitration tends to backfire massively when you have something of this scale because of everyone starts doing it. The cost of that forced arbitration is more than what the lawsuits would have been without it. It’s a big reason why like steam got rid of it. If you get too many people trying to go after you, it’s just not worth it and costs too much.
REDACTED@infosec.pub 4 hours ago
I’m not sure if Discord’s ToS apply to zendesk
Assassassin@lemmy.dbzer0.com 14 hours ago
Here’s the information directly from the FAQ as of right now:
Q: Is my data stored when I use Face Scan or Scan ID verification?
A: Discord and k-ID do not permanently store personal identity documents or your video selfies. The image of your identity document and the ID face match selfie are deleted directly after your age group is confirmed, and the video selfie used for facial age estimation never leaves your device.
LyD@lemmy.ca 13 hours ago
That sounds like the video stays on your device but the photos do not.
oplkill@lemmy.world 13 hours ago
Big company lies again what a big surprise
Ganbat@lemmy.dbzer0.com 10 hours ago
Yeah, but those methods of verification weren’t the subject of this breach, this was some manual bullshit done through Zendesk.
floofloof@lemmy.ca 14 hours ago
Where is that small print? It should be archived before Discord tries to change it.
HexesofVexes@lemmy.world 14 hours ago
…discord.com/…/30326565624343-How-to-Complete-Age…
Check down on data security ;)
renegadespork@lemmy.jelliefrontier.net 13 hours ago
Idk it doesn’t seem like there are any legal consequences for tech companies anymore.
ipkpjersi@lemmy.ml 7 hours ago
Definitely not, laws are only for the poors.
PissingIntoTheWind@lemmy.world 7 hours ago
Thank god I never gave them an image.
plz1@lemmy.world 11 hours ago
The fact that these photos and PII (personally identifiable information) were not destroyed after the verification process was certified is absolutely atrocious OpSec. I don’t even care which of the two companies is ultimately responsible, because they are both responsible.
- Zendesk for their bad OpSec
- Discord for both outsourcing this AND not having contractual requirements to properly secure and destroy PII when it was no longer required.
I work in IT, and treat PII like it’s dangerously radioactive, because in the digital world, it really is.
TomArrr@lemmy.world 7 hours ago
“Apparently” only those who were challenging the verification results and uploaded awaiting reverification are affected.
Not that that isn’t bad enough
Kissaki@feddit.org 6 hours ago
That’s even worse, in my eyes. Maybe not in scale, but when appeal process is more vulnerable, that seems very questionable.
luciferofastora@feddit.org 4 hours ago
Me when I get a request for PII pertaining to a suspected corruption case: Have one of our corporate lawyers give me a written and explicit statement of what data I’m supposed to send to whom or get bent. I’m not touching that with a ten foot pole and gloves unless I have a legally solid affirmation that what I’m doing won’t come back to bite me, and that our workers’ council knows about it and will back me up.
I’m reluctant to even confirm that I can get that information in the first place. I mean, I’m the one with full access to the audit tool, so I probably do, but I’d have to access that data in the first place to check. I don’t think that anyone would notice or care so long as I don’t share that information, but as you said: dangerously radioactive; don’t touch if I can help it.
Zen_Shinobi@lemmy.world 9 hours ago
Right. It blows me away the required training we have to do for physical files more secured than Fort Knox! Tech world? Eh just throw it in the recycle bin
chatokun@lemmy.dbzer0.com 8 hours ago
Hmm, I don’t recall ever doing age verification for Discord. Were older accounts grandfather’d in, or is it currently limited by region or something?
SoftestSapphic@lemmy.world 8 hours ago
I think it’s a UK thing
They have been passing legislation to basically dox their citizens for them to gain access to the internet
REDACTED@infosec.pub 7 hours ago
The Russia thanks UK for this valuable information
themachinestops@lemmy.dbzer0.com 5 hours ago
It was obvious things like this will happen, unlike banks and government sites social media sites don’t have strict cyber security requirements and they want these sites to have a government ID. It was a bad idea from the start.
TomArrr@lemmy.world 7 hours ago
Also currently being rolled out in Australia too 😔
Electricd@lemmybefree.net 5 hours ago
You often get age verification if your account got blocked because someone reported you to be underage
Holytimes@sh.itjust.works 2 hours ago
Any time your account gets locked for age reason it requires it. So if you have never had an age lock it’s unlikely you had to do it.
It’s as easy as someone reporting you for being underage with no proof or even just saying “I’m 14 and what is this” as a meme to get locked tho.
Hell the auto flag system can hit you if you just talk like a kid sometimes.
newcool1230@lemmy.ml 8 hours ago
I believe people from EU and people who say they were under 13 and got reported. They needed to send in a pic of them holding their ID.
SaharaMaleikuhm@feddit.org 6 hours ago
Am from EU. Two accounts, but no ID confirmation required for either.
aeternum@lemmy.blahaj.zone 6 hours ago
damn. I’m a 2 month old infant. Will i need to send in my ID??
TheObviousSolution@lemmy.ca 2 hours ago
I’ve criticized the sort of personal information that is allowed to be managed by banking entities in the cases of Accidental Americans, where people who have nothing to do with America except that they were born in the US have their data handled by private entities to be passed onto governments they’ve never been in. Public entities that should handle and be responsible for it in their actual home countries want to wash their hands off from them and there’s too much money against too small of a minority for anyone to care about their rights. It doesn’t matter how banks have consistently proven that they or their staff can act criminally, either.
At least here, it affects a lot more people so it will likely bring in the change and reform it needs, even if the sensitivity of this data is significantly less.
Gonna have to say, this guy is definitely gonna be screwed by this:
supersquirrel@sopuli.xyz 9 hours ago
Fuck Discord
theherk@lemmy.world 6 hours ago
I agree, but fuck this dumb law first and foremost.
TommySoda@lemmy.world 12 hours ago
Oh no it’s that thing everyone would say would happen!
avidamoeba@lemmy.ca 13 hours ago
To the surprise of no one here. This is the first thing I think of when a system wants me to upload an ID.
AnarchistArtificer@slrpnk.net 8 hours ago
Quelle surprise
CannonFodder@lemmy.world 14 hours ago
So they have 2 million ai generated or free stock photos of faces?
AmbitiousProcess@piefed.social 13 hours ago
These were images of people’s ID’s, along with photos of their faces to check for a match, not stock photos or even just real selfies on their own.
Skunk@jlai.lu 13 hours ago
Half of those are Norman Reedus in Death Stranding 2.
Holytimes@sh.itjust.works 2 hours ago
Nah, it gets tricked by the first game just as easily lol
adespoton@lemmy.ca 14 hours ago
Who exactly was required to submit age verification photos? Just US citizens?
Kirp123@lemmy.world 14 hours ago
UK ones too.
Warl0k3@lemmy.world 14 hours ago
Just the UK, as far as I’m aware. Some US users have to verify by clicking the box, but I do not believe they’ve been required to upload ID or use the UK’s facial recognition nonsense.
From the discord age verification FAQ:
The age verification features described in this article are fully available only to users in the United Kingdom and apply to all new and existing UK accounts.
panda_abyss@lemmy.ca 14 hours ago
Well, now I feel better about using a throwaway email when I made my account.
shads@lemy.lol 13 hours ago
Throw away email! Are you going something illegal online that you would want to bypass the government and big techs absolute right to spy on everything you do! That’s it people will henceforth only get one single email address assigned at birth that they will be forced to use for all online interactions henceforth. I hope you feel ashamed of yourself with all the children you put at risk with your thoughtless selfish behaviour. Now upload an image of your face certified by a government official and a copy of your birth certificate just to be sure that
terrorists, uhcriminals, uh child abusers don’t win.*Please tell me this is the most superfluous /s of all time. *
peoplebeproblems@midwest.social 12 hours ago
Age verification photos?
ohshit604@sh.itjust.works 12 hours ago
So glad I ditched discord the second they considered going public, converting people to Matrix sucks because Element is terrible for group calls.
Holytimes@sh.itjust.works 2 hours ago
Should have just gone back to TeamSpeak 3
MyNameIsIgglePiggle@sh.itjust.works 49 minutes ago
More than half of them turn out to be AI