Discord has confirmed that a data breach of their customer support platform has leaked at least 70,000 government IDs that were being used for age verification, something required in the UK since July to satisfy the Online Security Act.
I think you’ll agree that this is pretty much the exact opposite of online security.
Amongst the leaked information was personal information, including partial credit card details, messages to customer support agents and, with the need to diagnose and manually verify disputed age checks, government ID images. No full payment details or user login details were affected.
The attack on Discord didn’t affect the company’s main servers and infrastructure, but instead targeted a third-party customer support service. This is a particularly common avenue that bad actors use to gain access to company data, by obtaining logins for external services used for internal communication and customer support.
The extent of the cyber-attack is in dispute, with Discord admitting to 70,000 government IDs being leaked, but the hacker group that has claimed responsibility say that they had access for 58 hours by compromising the account of a support agent at an outsourced provider. This let them download 1.5TB of sensitive data that includes over 2.1 million government IDs. Discord disputes these figures, telling the BBC that these numbers were inflated and “part of an attempt to extort payment”.
While Discord did not name the third party service, the hackers said that it was the Zendesk portal that was affected. Speaking to the BBC, Zendesk said that its systems were not compromised through a vulnerability within its platform.
Discord is still in the process of investigating the attack and working with law enforcement, and they are getting in touch with affected users.
They state:
“If you were impacted, you will receive an email from noreply@discord.com. We will not contact you about this incident via phone – official Discord communications channels are limited to emails from noreply@discord.com.”
So…. remind me again why successive UK governments decided to not only pass online age verification laws, but also not take a hands on approach to securely implement an anonymised form of this?
Source: Discord, BBC, CyberSecurityNews
