Hackers may have stolen the government ID photos of around 70,000 Discord users, the company said Wednesday evening.
In a statement, Discord, the popular chat app, said the breach affected people who had contacted the platform’s customer support or trust and safety teams to verify their ages and that it was emailing the people whose information was accessed.
Discord users can be required to prove they are adults to use the platform, a process that can require them to upload their government ID cards, including driver’s licenses and passports.
In the update, Discord said that it was not directly hacked but rather that the data was stolen because hackers “compromised one of our third-party vendors.”
Discord said that messages and activities were not breached and that it was working with law enforcement on investigating the matter.
The company did not respond to a question about which third-party company it blames for the incident.
In a Telegram channel created Tuesday and viewed by NBC News, people who claimed to be involved with the hack posted a smattering of files they claimed they stole in the incident, including a database of 1,000 users’ names, email addresses, cities and redacted phone numbers. They have also posted more than 100 photos of people holding government ID cards, seemingly taken as verification photos. NBC News has not independently verified the information is from the Discord breach.
Privacy advocates have warned that online age verification requirements put users at risk, as users often do not know what steps a company will take to protect sensitive personal information like images of government IDs.
Maddie Daly, assistant director of federal affairs at the nonprofit Electronic Frontier Foundation, which argues against the laws, said the Discord breach was a prime example.
“Age verification systems are surveillance systems,” Daly said.
“A person who submits identifying information online can never be sure if websites will keep that information or how that information might be used or disclosed. This leaves users highly vulnerable to data breaches and other security harms, as we see time and time again,” she said.
The breach is the latest instance in a string of hacks that have exposed similar photos that had been stored as part of an app’s identification process.
In July, the Tea app was hacked, and 72,000 images were exposed. The Tea app promised to create a safe space for women to share information about men but required users to upload photos of themselves to verify their gender.
