70,000 government IDs were exposed in a Discord breach - could yours be next?

NurPhoto/Contributor/Getty Follow ZDNET: Add us as a preferred source on Google. ZDNET's key takeaways A third-party service for customer support was hit. About 70,000 users may have had government ID photos accessed. The incident highlights the challenges of state-imposed age verification. Discord has revealed the theft of around 70,000 government-issued ID photos in a recent data breach. The platform was targeted by cybercriminals who compromised one of Discord's third-party vendors. The vendor in question provided customer support services, including age verification, which requires a photo ID displaying the user's date of birth -- a mechanism launched in response to new age verification laws imposed in the UK, which is being followed in the EU, Australia, and some US states. Also: Hackers stole 1 billion records from Salesforce customer databases with this simple trick - don't fall for it The company said the cyberattack's overall aim was to use the stolen data as leverage to secure a "financial ransom." In a security advisory, Discord was keen to emphasize that the data breach didn't occur at Discord -- a messaging platform popular with gamers that has amassed approximately 200 million users worldwide -- but instead through the third-party. What was stolen? Information provided by users to customer support may have included names, Discord usernames, email addresses, contact details, limited billing information, purchase histories, messages between users and customer service reps, and government-issued ID photos. Full credit card numbers, card CCV codes, and authentication data (such as passwords) were not involved in the breach. Who was impacted? Discord has not revealed the exact number of users embroiled in the data breach, beyond saying that the government-issued photo IDs of 70,000 users were exposed. "This incident impacted a limited number of users who had communicated with our Customer Support or Trust & Safety teams," Discord said. Also: AI is making cybercriminal workflows more efficient too, OpenAI finds In other words, we don't know just how many users are involved worldwide. A group that has claimed responsibility for the breach said it stole information belonging to 5.5 million unique users, according to Bleeping Computer, but Discord told the publication "the numbers being shared are incorrect and part of an attempt to extort a payment from Discord." How has Discord responded? Once the security incident came to light, Discord revoked the customer support provider's access to the ticketing system, launched an investigation, hired a cyberforensics firm, and notified law enforcement. Discord is "continuing to investigate this matter [and] working closely with law enforcement." How can I know if I am involved? Discord is in the process of notifying impacted users -- and in particular, if your government ID photo was leaked, this will be mentioned in the email sent to victims. "Looking ahead, we recommend impacted users stay alert when receiving messages or other communication that may seem suspicious," Discord added. "We have service agents on hand to answer questions and provide additional support. We take our responsibility to protect your personal data seriously and understand the inconvenience and concern this may cause." What should I do if I think I am involved in this breach? Considering how fresh this security incident is, we have yet to hear whether or not victims will be offered any of the usual -- a free year of credit monitoring, for example. If you're concerned about potential ID theft or financial fraud, however, take the following steps. Check out HaveIBeenPwned : You can use the HaveIBeenPwned website to see what data breaches you may have been involved in. Keep in mind, however, that it can take time for new breaches to appear in the database. : You can use the HaveIBeenPwned website to see what data breaches you may have been involved in. Keep in mind, however, that it can take time for new breaches to appear in the database. Sign up for a credit monitoring agency : Even a free service can alert you to any unexpected changes on your credit file, such as someone fraudulently using your information to take out a loan. : Even a free service can alert you to any unexpected changes on your credit file, such as someone fraudulently using your information to take out a loan. Freeze your credit, payment cards : If you believe you may be a victim of financial fraud due to strange credit monitoring alerts or unexpected transactions, contact your financial services provider immediately to issue a temporary freeze. You may also be able to do this yourself via banking and financial apps. : If you believe you may be a victim of financial fraud due to strange credit monitoring alerts or unexpected transactions, contact your financial services provider immediately to issue a temporary freeze. You may also be able to do this yourself via banking and financial apps. Consider your government ID : Depending on your location and local laws, if Discord says your photo ID has been exposed, you should consider reaching out to relevant authorities to make them aware of the situation. : Depending on your location and local laws, if Discord says your photo ID has been exposed, you should consider reaching out to relevant authorities to make them aware of the situation. Watch for updates: Keep an eye out for any communication from Discord with updates. Age verification policy challenges Discord is a victim, just as the estimated 70,000 users who handed over their photo IDs. Now, it's possible that those photos could be used in identity theft and financial fraud. They're out there, and this means that each victim has to go through the process of finding out, potentially having to inform authorities, and potentially securing a replacement government-issued ID. Discord may call 70,000 a "small number of government‑ID images," but to each of those 70,000 individuals, it's not a small matter. The need to submit sensitive information just to access a website, whether a messaging platform or pornography, always had the potential to become a privacy disaster. The concern is that these policies don't improve the safety of children, but rather erode the privacy, safety, and potentially financial security of an entire population. Get the biggest stories in tech every Friday with ZDNET's Week in Review newsletter. (Let's not forget to mention that you can use a VPN to bypass many of these checks, anyway.) To make matters worse, the responsibility of ensuring this information is kept safe and secure has been imposed on organizations worldwide, with different security approaches and levels of maturity. The government that imposed the law doesn't have to deal with the real-world consequences. So, what's the answer? If you want to protect children and stop them from accessing content they shouldn't, device-level controls are, and continue to be, the best approach. Trust parents enough to impose the right levels of control at appropriate ages, and, perhaps, provide more support and resources for parents who don't consider themselves tech-savvy enough to handle the task. Discord may be the first significant case, but it will likely not be the last.