Discord has reportedly been commandeered by hackers who have breached a database containing sensitive age verification data for more than 2.1 million users and are threatening to leak it.
In a post on Wednesday X, malware repository VX-Underground claimed that Discord was being blackmailed by a perpetrator who had compromised a Zendesk instance containing user data. This data includes 2,185,151 photos used to verify the age of 2.1 million users, including driver’s license and passport photos.
“Discord users’ driver’s licenses and passports may be compromised,” VX-Underground said.
The breach occurred on September 20th, and Discord’s Zendesk instance containing data was compromised. On Friday, the gaming-oriented messaging platform publicized the incident, claiming that “this incident affected a limited number of users.”
sauce: VX-Underground
Related: Age Verification Gets a Big Mistake and Blockchain Needs to Get Involved
“The number of ID photos is small”
“Unauthorized parties also accessed a small number of government ID images (driver’s licenses, passports, etc.) from users who have challenged age determinations,” Discord claims, promising to alert affected users via email.
Discord promises that age verification data will be “deleted immediately after the age group is verified,” so some users have raised questions about the data being stored. Still, the data source is not an age verification system, but rather a photo sent to the help desk when appealing a judgment rendered by an automated age verification system.
Discord’s age verification screen. Source: Discord
Related: Compliance doesn’t come at the cost of privacy
The dangers of age verification
Many cybersecurity and privacy advocates strongly oppose mandating document checks for age verification for online services. The reason is that when a large amount of sensitive data is stored on a server, as in this case, it becomes an attractive target for malicious attackers.
Some argue that there are safer alternatives in the world of cryptocurrencies and cryptography. In late August, Layer 1 proof-of-stake blockchain Concordium launched a mobile application that allows users to verify their age without revealing their identity.
The application relies on zero-knowledge proofs (ZK proofs) to mathematically verify whether a user has provided proof of age without disclosing the full details. This prevents a large number of document photos from accumulating on the server, which could later be compromised.
Systems that use ZK proofs do not need to rely on cryptocurrencies. Google Wallet, the search giant’s payments and digital card management application, announced in late April that it had integrated ZK proof for age verification.
magazine: Beyond cryptocurrencies: Zero-knowledge proofs show promise from voting to finance
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
