Per Discord's press release, it appears only a small subset of photo IDs were leaked:
>The unauthorized party also gained access to a small number of government ID images (e.g., driver’s license, passport) from users who had appealed an age determination.
I don't know about EU but in NL no company may ask you for your ID. Only government may. So if they insist, I show a censored version which hides vital data. There's also Yivi (Irna) an application which only shares (after verification) certain data like 'are you over 18 y.o.' (age of legal adolescence, driving age, drinking age) or something like your email address. Because companies CS never delete such data after verification. They sit on a goldmine of data, while data is a toxic asset (as per Schneier's essay).
This was inevitable the moment they started taking government ID for proving age. It was a terrible idea, it was made worse by the companies themselves being unproven. This will lead to substantial ID theft crime in the future, as many predicted. If its on the internet someone will get it, even the most capable internet companies have been hacked.
Regulation 1 mandates data collection, creating unintended consequences. Now, regulation 2 is required to counter the effects of regulation 1. Regulation 2's unintended consequences are similarly either unknown or ignored. This suggests that regulation 3 may be necessitated and that the trend may continue indefinitely.
In theory infinite regulations would suggest that no one would be permitted to do anything eventually. However, before we reach that point, the cost of compliance will be so high that publishing websites will become untenable.
An equilibrium of regulatory capture favoring large publishers will likely emerge before this point. Those large interests will have the resources to influence regulatory outcomes. Their incentives will include maintaining a sufficiently high barrier to entry while optimizing their own compliance costs.
I've felt kind of miffed in the past for not being able to join Discord communities. Discord always wanted my phone number, and I wasn't ready to share that.
Oh shit I received an email from discord saying some of my personal data on my discord account got breached. I have never used discord support aside from the one time where I contacted support to try to get my original discord account back because I lost my email but it was inevitable I didn't link my discord with any credit card info but maybe my phone number? What should I do now??
The best part is the ticket they say I’m a part of the breach with… Discord literally never even acted on it. They let the ticket go to the void and never had anyone in support answer it.
Effin hell, and they don't even let you remove your payment method from your account, just like Anthropic/Claude. Who needs to be smacked in the head to be taught that basic bit of user privacy/security?
16 comments
[ 2.9 ms ] story [ 36.5 ms ] thread>The unauthorized party also gained access to a small number of government ID images (e.g., driver’s license, passport) from users who had appealed an age determination.
https://discord.com/press-releases/update-on-security-incide...
Who wants to bet that this was the intended outcome all along?
It really is that simple.
In theory infinite regulations would suggest that no one would be permitted to do anything eventually. However, before we reach that point, the cost of compliance will be so high that publishing websites will become untenable.
An equilibrium of regulatory capture favoring large publishers will likely emerge before this point. Those large interests will have the resources to influence regulatory outcomes. Their incentives will include maintaining a sufficiently high barrier to entry while optimizing their own compliance costs.
some key facts Discord are maliciously intentionally withholding:
(approx.) amount of affected users, seeing hundreds of comments on reddit + twitter
tickets timespan, I personally have multiple support accounts, one has only one ticket from July which got the email
affected ticket categories
whether phone numbers were leaked (can lead to further attacks such as SIM swapping)
whether addresses were leaked (they carefully use language "limited billing information" rather than stating the exact pieces)
https://x.com/vxunderground/status/1975834621503062495
https://x.com/IntCyberDigest/status/1975846997568737666
https://x.com/IntCyberDigest/status/1975847000978694317
I am no longer miffed :)
Imagine a place…