A significant data breach concerning Discord`s age-verification process, initially piloted in the United Kingdom, has potentially compromised the personal information of millions of users. This incident originates from a cyberattack on 5CA, a third-party service provider engaged by Discord to manage age-verification responsibilities.
Discord initially disclosed that the government-issued IDs of approximately 70,000 users might have been exposed through the 5CA breach. The company reassured its users that its internal messaging systems were largely unaffected, with the exception of communications with customer support or trust and safety agents.
However, a subsequent report by Cyber Security News suggests a much broader impact, indicating that the number of stolen government IDs could be as high as 2.1 million. This report further estimates that the total number of affected individuals might reach approximately 5.5 million unique users, spread across 8.4 million support tickets.
The attackers reportedly attempted to extort Discord, claiming possession of 1.5 terabytes of stolen data. This compromised data is believed to include sensitive details such as usernames, email accounts, IP addresses, and potentially the last four digits of credit card numbers. Discord has provided assurance that complete credit card numbers and CCV codes were not compromised in the breach. The company is actively collaborating with law enforcement authorities and is in the process of notifying all affected users via email.
A major concern arising from this breach is the potential leak of ID photographs, an issue that had previously sparked debate regarding the UK`s age verification requirements. It appears 5CA was tasked with performing manual reviews for users whose initial ID scans were rejected or for those appealing age-related account suspensions.
This incident adds to a series of recent challenges for the platform. Discord has previously been involved in high-profile cases, including Nintendo`s attempt to subpoena the platform for information related to a major Pokemon leak. Furthermore, US Congressional Republicans have previously called for the CEOs of Discord, Steam, and Twitch to provide testimony before Congress regarding allegations of radicalization occurring on their respective platforms.