Hackers have successfully breached Discord’s Zendesk support system, stealing sensitive age-verification photos from 2.1 million users. The malicious actors are reportedly attempting to extort the platform with the threat of releasing this sensitive data.
In a recent X post, malware repository VX-Underground shared details that indicates those responsible for the breach are demanding concessions from Discord after compromising their Zendesk instance, which held substantial user data that includes 2,185,151 photos used for age verification, many of which are likely of driver’s licenses or passports.
“Discord users’ driver’s license and/or passport might be leaked,” VX-Underground warned.
This incident took place on September 20 when user data from Discord’s Zendesk system was accessed. On the following Friday, Discord acknowledged the issue, claiming it had affected only a limited number of users.
Discord has published an official response to this security incident.
Source: VX-Underground
Related: Age Verification’s Major Shortcomings and the Role of Blockchain
“Few ID images accessed”
Discord stated that the unauthorized party has gained access to a limited number of government-issued ID images from users who had appealed their age verification decisions. The platform promised to notify affected individuals by email.
Some users voiced their concerns regarding the storage of this sensitive data, emphasizing that Discord had previously assured that age verification data was deleted once the corresponding age group was confirmed. However, it appears the data source was not the verification system itself, but the photos submitted during the appeal process.
Discord age verification screen. Source: Discord
Related: Examining Compliance and Privacy Loss
The Risks of Age Verification
Numerous privacy and cybersecurity advocates criticize the necessity of document checks for online service age verification. They argue that storing vast amounts of sensitive data makes servers prime targets for cybercriminals, as exemplified by this incident.
In the crypto sector, some assert that safer alternatives exist. For example, the layer-1 proof-of-stake blockchain Concordium unveiled a mobile app that allows users to confirm their age without revealing their identity.
This application utilizes zero-knowledge proofs (ZK-proofs) to mathematically verify users’ age without requiring them to disclose specific details. This approach would help mitigate the risks related to storing extensive photographs of identity documents in databases susceptible to breaches.
Systems that implement ZK-proofs do not necessarily need cryptocurrencies. Google Wallet has also integrated ZK-proofs for age verification as of late April.
