Sign in Subscribe
3 min read Articles

Discord says users' government IDs used for age checks stolen by hackers

Thanks to age verification laws, expect more data breaches of users' government-issued passports and driver's licenses.
Discord says users' government IDs used for age checks stolen by hackers
Photo by Mariia Shalabaieva / Unsplash

In a statement late on Friday, Discord confirmed that its third-party customer service systems were hacked, and users "who had contacted Discord through our Customer Support and/or Trust & Safety teams" had some of their data stolen.

The messaging and gaming giant didn't say much about the hack or the hackers responsible, but the limited details could align with recent mass-hacks targeting Salesforce-hosted databases or other cloud databases, which companies commonly use for storing customer information. Discord said the hackers targeted its customer service system "with a view to extort a financial ransom from Discord."

Discord said that the hackers stole data that includes Discord users' personal data, such as names and email addresses, IP addresses, some limited billing information, and messages sent to Discord customer service. 

But also:

...The unauthorized party also gained access to a small number of government‑ID images (e.g., driver’s license, passport) from users who had appealed an age determination. If your ID may have been accessed, that will be specified in the email you receive.

Discord has over 600 million users, so that "small number" may not be so small after all.

Age verification laws are spreading around the world, and as a result, these kinds of hacks involving the theft of users' identity documents are only going to get worse.

In places like the United Kingdom (as well as several U.S. states, like Mississippi, Ohio, and Texas; with Australia and Europe up next), you have to upload your government-issued passport or driver's license — often to a third-party age verification service — to prove that you are allowed to access the website's "adult" content (your subjectivity may vary). Companies that don't comply with the law can face steep fines from government regulators, in some cases in the millions.

The problem with these ill-thought-out laws, often devised by hapless politicians with no background in tech and who don't understand how the internet works, is that they're already breaking the open internet.

The knock-on effects are that a lot of websites are subject to these age-checking rules that might not have been before, and have now started to require users to upload their identity documents. Smaller websites and forums that have no way to pay third-party services to check for their users' ages are instead opting to shut down, or block their sites to vast swathes of the online world.

The result is that companies are now forced to collect and amass huge amounts of people's passports and driver's licenses in centralized databases, which inevitably puts that data at risk of theft (or a legal demand by a government agency).

Case in point: Discord users are some of the first victims to suffer from a data breach under age verification rules.

Protecting kids online is difficult, and governments clearly haven't figured out how to do it yet. Penalizing entire populations by requiring the collection of their highly personal information might be the easiest solution for governments to come up with, but one that comes with considerable security and privacy risks that will end up harming people down the line.

Thank you so much for reading ~this week in security~. Please consider a paying subscription. Feel free to reach out with any feedback, questions, or comments about this article: this@weekinsecurity.com.

Updated to include an additional note and link to Zendesk, which Discord uses for its customer support.

Published by:

Zack Whittaker

You might also like...

01
Oct
'25

ICE buys tool that tracks millions of phone locations daily

The surveillance tool allows ICE agents to see "where almost everyone is."
1 min read
ICE buys tool that tracks millions of phone locations daily
20
Sep
'25

Cyberattack on check-in system sparks delays at European airports

The ransomware attack on a defense contractor's systems prevented traveler check-ins and baggage drops at airports in Europe. (Updated)
2 min read
a photo showing a departures board at a U.K. airport.
13
Sep
'25

Oura ring deal raises valid concerns about users' health data security

The government partnership sparked customer concerns about the security of data collected by Oura's wearable, even if the spark was a red herring.
8 min read
Oura ring deal raises valid concerns about users' health data security
04
Sep
'25

How to read and understand a data breach notice

Understanding the contents of a data breach notice can help you take measured, reasonable action to protect yourself and others following a cybersecurity incident.
14 min read
How to read and understand a data breach notice
26
Aug
'25

Salesforce instances targeted in new 'widespread' wave of data thefts

Salesloft confirmed a security incident affecting customers who integrate cloud data with its Drift product, the latest wave of data thefts targeting Salesforce instances. (Updated)
4 min read
Salesforce instances targeted in new 'widespread' wave of data thefts