Major Discord hack exposes the real risks of digital ID

Major Discord hack exposes the real risks of digital ID

5gDedicated
Yanac

The Discord user data breach offers yet another argument against the UK government’s authoritarian plans for Digital ID. A sensible government would consider the implications before forcing people to risk information with a stunt like this.

So, what happened? 

The online speculation is that millions of government ID data items might have been stolen in an attack against an identity verification service used by Discord. Discord says it has “identified approximately 70,000 users that may have had government-ID photos exposed, which our vendor used to review age-related appeals.” 

It also said it is communicating with users affected by the hack and is working with law enforcement to investigate the matter.

What happened at Discord?

“Recently, we discovered an incident where an unauthorized party compromised one of Discord’s third-party customer service providers. The unauthorized party then gained access to information from a limited number of users who had contacted Discord through our Customer Support and/or Trust & Safety teams,” the company said in a statement.

The leaked information included:

Name, Discord username, email and other contact details provided to Discord customer support.

Payment type, last four digits of credit cards, and purchase history if associated with an account.

IP addresses.

Customer service agent messages.

Limited corporate data (training materials, internal presentations).

A small number of government‑ID images (e.g., driver’s licenses or passports) from users who had appealed an age determination.

The data did not include passwords, authentication data, full credit card numbers, CCV codes or messages shared on Discord, beyond those with customer support.

This is completely predictable

While I think the phrase “a small number” might be doing a lot of work here, the attack is completely predictable. It seems inevitable that once governments — such as the current UK administration — force users to share high-level security data simply to use social media, the unregulated services that verify those ID documents will become attractive targets for attack.

This is precisely what happened at Discord. That company turned to a third party to handle inquiries of this kind, that third party was hacked, and valuable data was stolen. This isn’t even the first such attack. A year ago, an attack against US ID verification service AU10TIX exposed names, dates of birth, nationality, identification numbers, the type of documents uploaded (such as a drivers’ license) and images of those documents. 

It is completely anti-intuitive to expect Discord will be the only ID verification partner facing attacks, and it is futile to believe for one iota of a second that this will be the only such partner to succumb to those attacks. That the ID provision companies are subject to only light regulation makes this a massive threat to digital security — particularly given potential links between them and foreign intelligence agencies.

Surveillance and security, UK style

This is a big challenge for UK users, so recently forced to share such information with social media services in response to the UK’s so-called Online Safety Act (a piece of legislation that leaves us all less safe then before). Anyone in the UK who shared this information with Discord’s ID verification service in response to that Act has been left exposed by the government’s ineptitude. It’s not as if experts on online privacy and security did not warn of the potential consequences, but the government chose not to listen, preferring to maintain its addiction to state surveillance. 

Every UK subject who finds their personal information compromised as a result of sharing ID documents — just to keep visiting their favorite online gaming community on Discord — has only one entity to blame, and it’s not Discord. It’s the UK government.

The big picture

This absolutely won’t be the last big break-in for this kind of user data. Quite apart from financial fraud, criminals also know how to use legitimate passport data to create fake IDs. And the net result of hacks like this will be deep security exposure for UK citizens and a whole flotilla of fake documentation to be shared across criminal groups, hostile nation states, and refugees seeking safety. 

Indeed, far from making the online or physical world any safer, UK ineptitude has effectively created a big dollop of insecurity we haven’t even felt the impact of yet. As more such services are hacked, more damage will be done. 

Prepare for worse

With the UK committed to forcing Digital ID on an unwilling nation, there is a high probability it will become a target. That would matter less if online security could be guaranteed, but it can’t. And these days, every business doing digital business has adopted a “when” not “if” approach to security.

In other words, they know they will be hacked or attacked one day, and will have plans in place for what to do when it happens. The UK ID experiment might approach security in a similar way, but it is certain it will be attacked, some attacks will succeed, and data stolen in those attacks will be abused. 

Discord’s misfortune is a warning of what’s to come. It is certainly an indication that before people are forced to use third-party verification services, a set of regulatory standards and a legal apparatus for generous compensation if a user is impacted should be in place.

At present, this does not exist, which means these systems leave us more exposed to fraud and other online harms than we were before.

You can follow me on social media! Join me on BlueSky,  LinkedIn, and Mastodon.Major Discord hack exposes the real risks of digital ID – ComputerworldRead More