Video game chat platform Discord has suffered a data breach, informing users that their personal information – including identity documents of those required to prove their age – were compromised.
The company stated last week that an unauthorised party had compromised one of Discord’s third-party customer service providers, leading to the access of “a limited number of users” who had been in contact with the customer service or trust and safety teams.
The data compromised may have included usernames, email, billing information, the last four digits of credit card numbers, IP addresses and messages with customer support.
Discord said the alleged attacker “also gained access to a small number of government ID images (eg driving licence, passport) from users who had appealed an age determination.
Affected users were in the process of being notified as of last week.
“If your ID may have been accessed, that will be specified in the email you receive,” Discord said.
The support system was targeted to access user data with a view to extort a financial ransom from Discord, the company stated.
Discord said it revoked the third-party provider’s access to its ticketing system and launched an internal investigation, including engaging with law enforcement.
The attack appears to have occurred on 20 September, according to a user who received a notification.
Discord has said it has over 200m active monthly users.
Discord began using facial age assurance to check the age for users in the UK and Australia earlier this year. The company said facial images and ID images “are deleted directly after” ages are confirmed, but Discord’s website noted that if verification fails, users can contact the trust and safety team for a manual review.
Under the under 16s social media ban to come into effect on 10 December, the Australian government has outlined that it expects platforms such as Discord – which is one of the platforms that has been asked to assess if it is required to comply – should have multiple options for assessing a user’s age, and a way for them to quickly appeal an adverse decision.
Platforms can ask for ID documents as part of the age assurance scheme, but it cannot be the sole method of age assurance offered by the platforms under the policy.
The Australian privacy commissioner confirmed it had been notified about the breach by Discord.
Discord was approached for comment.
