How bad is the Discord hack? What you need to know.

Seventy thousand. That’s the number of users whose government-issued ID cards may have been stolen in a major breach of the popular chat and messaging app Discord. While that may seem like a small number considering Discord has hundreds of millions of users, there’s a more concerning factor here: tech companies continue to require identification of some of their users and the security risk involved in retaining that information.

What happened in the Discord hack?

Last week, popular chat and messaging platform Discord announced that a third-party customer support provider had suffered a breach. Any information provided by a user to a customer support representative with this third party could have potentially been stolen by a malicious actor. Discord said this included usernames, names, email addresses, chats with the customer support team, limited billing information such as the last four digits of a credit card, and photos of a “small number” of government IDs.

On Thursday, Discord updated this advisory to include more details, including a specific number of affected users. In total, up to 70,000 users had their government-issued IDs exposed. According to Discord, “Among affected accounts globally, we identified approximately 70,000 users who may have seen exposed government ID photos, which our provider used to review age-related calls.”

What are age-related appeals?

In the past, Discord did not collect users’ government IDs. However, many states have begun requiring certain apps and internet services to prove that users are not minors, whether through digital identification or facial recognition.

Discord allows users to submit a photo of themselves to prove their age; these photos are then transmitted to automated age verification systems. These systems estimate the user’s age and either let them access the site or deny them access. Submitted photos are then immediately removed from the age verification system.

However, in some cases these age verification systems get it wrong. Users can then submit an appeal along with a photo of their government ID. The Discord breach occurred when its third-party provider that handles its calls was hacked.

As these age verification requirements become more widespread, more sites will be forced to collect more information from users, giving hackers a wealth of new information to pilfer.

And now ?

As NBC News According to reports, hackers claiming to be behind the breach created a Telegram channel where they posted thousands of usernames, email addresses and other sensitive data. The hackers also posted more than 100 photos of individual Discord users holding up their government ID cards.

Discord says around 70,000 Discord users have had photos stolen from their logins by hackers who are now trying to extort the site. Hackers claim to have more than 2,185,000 photos, but Discord has denied this number, claiming that hackers exaggerate to extort a ransom. It’s unclear what actions Discord intends to take at this time.

As age verification laws increase, tech companies like Discord will likely need to develop new, more secure ways to verify the ages of their users.

Will Discord pay a ransom?

As is often the case with high-profile breaches, hackers attempt to extort a ransom. However, Discord claims that it will not pay ransom or “reward” the cybercriminals responsible. A Discord spokesperson told The Verge: “we will not reward those responsible for their illegal actions.”