- Name, Discord username, email and other contact details provided to Discord customer support.
- Payment type, last four digits of credit cards, and purchase history if associated with an account.
- IP addresses.
- Customer service agent messages.
- Limited corporate data (training materials, internal presentations).
- A small number of government‑ID images (e.g., driver’s licenses or passports) from users who had appealed an age determination.
The data did not include passwords, authentication data, full credit card numbers, CCV codes or messages shared on Discord, beyond those with customer support.
This is completely predictable
While I think the phrase “a small number” might be doing a lot of work here, the attack is completely predictable. It seems inevitable that once governments — such as the current UK administration — force users to share high-level security data simply to use social media, the unregulated services that verify those ID documents will become attractive targets for attack.
This is precisely what happened at Discord. That company turned to a third party to handle inquiries of this kind, that third party was hacked, and valuable data was stolen. This isn’t even the first such attack. A year ago, an attack against US ID verification service AU10TIX exposed names, dates of birth, nationality, identification numbers, the type of documents uploaded (such as a drivers’ license) and images of those documents.
This story originally appeared on Computerworld
