this post was submitted on 08 Oct 2025
778 points (99.2% liked)

Technology

75963 readers
3102 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
778
The Discord Breach Might Be Worse Than We Thought, As The Hacker Is Said To Have Two Million Age Verification Photos (www.thegamer.com)
submitted 3 days ago by return2ozma@lemmy.world to c/technology@lemmy.world
125 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[–] cupcakezealot@piefed.blahaj.zone 25 points 2 days ago

congrats everyone on your two free months of credit monitoring

[–] frenchfryenjoyer@lemmings.world 19 points 2 days ago (5 children)

A certain subset of people: "B-but at least it stops kids seeing photos of dental decay!!!1111"

load more comments (5 replies)
[–] Darkcoffee@sh.itjust.works 308 points 3 days ago (2 children)

Anyone still defending age verification online is an idiot.

[–] CosmoNova@lemmy.world 81 points 3 days ago

I don‘t think I‘ve ever seen someone defend it online but there were a few people laughing it off which is not much better.

load more comments (1 replies)
[–] kylian0087@lemmy.dbzer0.com 54 points 2 days ago (3 children)

Proofs the UK is a shithole as well funnily enough.

Nothing against the Brits but their government oh damn that's bad.

[–] Blackmist@feddit.uk 14 points 2 days ago (2 children)

Wait til you see the next one.

:(

[–] Fraction9170@infosec.pub 13 points 2 days ago (1 children)

Yep. This is just the first. As long as individuals submit to these ID verifications, services which provide them will be highly targeted. I find it ridiculous that 1.5 million people actually submitted their info to access discord instead of finding a workaround or alternative. I can only imagine how many are gullible enough to verify on porn sites.

load more comments (1 replies)
load more comments (1 replies)
load more comments (2 replies)
[–] LustyArgonianMana@lemmy.world 7 points 1 day ago

Just roll all the class actions into a UBI fund for the people

[–] HexesofVexes@lemmy.world 215 points 3 days ago* (last edited 2 days ago) (16 children)

So, I looked at age verification - it was made clear photos were on device only and never transmitted.

If this turns out to be false, then the legal fallout would be apocalyptic.

(Edit: or not, see the comment by ambitiousprocess below)

[–] AmbitiousProcess@piefed.social 123 points 3 days ago (2 children)

These were photos submitted via the compromised support provider (Zendesk) via the Discord support portal.

Automated age verification via their partner (k-ID, which has its own issues) is a separate system, which was only available to some users. Other users had to contact Discord support manually and submit photo ID, which went through Zendesk, which was then compromised in this breach.

https://support.discord.com/hc/en-us/articles/360041820932-Help-I-m-old-enough-to-use-Discord-in-my-country-but-I-got-locked-out

Additionally, for the automated process, it's the video selfie that's on-device and never transmitted, but photos of your ID and selfie photo are transmitted, just supposedly deleted afterwards. Those ones are *not included in this breach, as far as we're aware, as it's an entirely different third-party with wholly separate infrastructure.

[–] NuXCOM_90Percent@lemmy.zip 56 points 3 days ago (1 children)

Which is why you farm off stuff like this to third parties whenever possible

DiscordCorp will get a slap on the wrist and give people an offer of a free six months of discord turbo (so long as you provide payment info so it can auto-renew on month seven).

But ANY meaningful consequences will go toward Zendesk Corp for not doing what they were supposed to. And... then everyone will just use ZZendesk instead

[–] Warl0k3@lemmy.world 24 points 3 days ago (4 children)

Well, yeah. Discord isn't exactly at fault here, they're operating as best they can within the boundaries of a piece of legislation that could be best described as gods gift to the "I-told-you-so" crowd. This breach is exactly what everyone was warning would happen with the UK ID laws, and discord got stung first as they're one of the few companies trying to adhere to the law in good faith (which, yes, why in hell they're trying to do this is good faith is a very good question)

load more comments (4 replies)
load more comments (1 replies)
[–] lemmyout@lemmy.zip 31 points 3 days ago (5 children)

What legal fallout? Discord made users agree to new terms just a week ago that involves forced arbitration.

[–] Azzu@lemmy.dbzer0.com 17 points 2 days ago (2 children)

Forced arbitration clauses are not legal in many European jurisdictions, so "agreeing" to them didn't actually do anything.

load more comments (2 replies)
load more comments (4 replies)
load more comments (14 replies)
[–] TankovayaDiviziya@lemmy.world 24 points 2 days ago (4 children)

Politicians: That's the point.

Joking aside, now that I think about it, what difference does does it make if companies are stealing infos and spying on you with government mandated age verification checks, and hackers stealing your government mandated age verification info? This just reinforces my view that governments (and companies) are nothing but glorified gangsters.

load more comments (4 replies)
[–] Octagon9561@lemmy.ml 49 points 2 days ago (2 children)

And this is why this provide xyz private information for verification bs should be illegal

[–] ILikeBoobies@lemmy.ca 16 points 2 days ago (1 children)

And why any service asking it should be moved on from.

Pretty sure these people could have found a teamspeak, matrix, or mumble server without the requirement.

load more comments (1 replies)
[–] aliser@lemmy.world 22 points 2 days ago (2 children)

so instead of creating some kind of authorization system that would not require sending your private information to everyone the govt did nothing and instead put that responsibility on EVERY company. begs the question why rushing so much?

[–] spicehoarder@lemmy.zip 8 points 2 days ago (1 children)

The department of Social security could have created some sort of public/private key pair to very age and DOB. But that's too much to ask for isn't it?

[–] KelvarCherry@lemmy.blahaj.zone 8 points 2 days ago

Have you seen the USA? UK? Russia? China? I really don't want the government making any system to tie internet to any identity. I really don't want any government having any role in the internet.

load more comments (1 replies)
[–] plz1@lemmy.world 122 points 3 days ago (5 children)

The fact that these photos and PII (personally identifiable information) were not destroyed after the verification process was certified is absolutely atrocious OpSec. I don't even care which of the two companies is ultimately responsible, because they are both responsible.

  1. Zendesk for their bad OpSec
  2. Discord for both outsourcing this AND not having contractual requirements to properly secure and destroy PII when it was no longer required.

I work in IT, and treat PII like it's dangerously radioactive, because in the digital world, it really is.

[–] prole@lemmy.blahaj.zone 10 points 2 days ago

That's because you have ethics

[–] TomArrr@lemmy.world 16 points 2 days ago (2 children)

"Apparently" only those who were challenging the verification results and uploaded awaiting reverification are affected.

Not that that isn't bad enough

load more comments (2 replies)
load more comments (3 replies)
[–] bhamlin@lemmy.world 11 points 2 days ago

That's why I used a picture of my anus for my age verification photo. The wrinkles are what sold it, I think.

[–] Mwa@thelemmy.club 19 points 2 days ago (1 children)

this is why i dont give my ID to any service(obv including Discord) anymore.

[–] frezik@lemmy.blahaj.zone 9 points 2 days ago (1 children)

The issue here is that age verification is mandatory in the UK, and not just for Discord.

load more comments (1 replies)
[–] PissingIntoTheWind@lemmy.world 46 points 2 days ago

Thank god I never gave them an image.

[–] chatokun@lemmy.dbzer0.com 51 points 2 days ago (12 children)

Hmm, I don't recall ever doing age verification for Discord. Were older accounts grandfather'd in, or is it currently limited by region or something?

[–] SoftestSapphic@lemmy.world 69 points 2 days ago (3 children)

I think it's a UK thing

They have been passing legislation to basically dox their citizens for them to gain access to the internet

[–] REDACTED@infosec.pub 34 points 2 days ago (1 children)

The Russia thanks UK for this valuable information

load more comments (1 replies)
[–] themachinestops@lemmy.dbzer0.com 15 points 2 days ago

It was obvious things like this will happen, unlike banks and government sites social media sites don't have strict cyber security requirements and they want these sites to have a government ID. It was a bad idea from the start.

load more comments (1 replies)
[–] Holytimes@sh.itjust.works 11 points 2 days ago

Any time your account gets locked for age reason it requires it. So if you have never had an age lock it's unlikely you had to do it.

It's as easy as someone reporting you for being underage with no proof or even just saying "I'm 14 and what is this" as a meme to get locked tho.

Hell the auto flag system can hit you if you just talk like a kid sometimes.

load more comments (10 replies)
[–] MyNameIsIgglePiggle@sh.itjust.works 23 points 2 days ago (1 children)

More than half of them turn out to be AI

[–] prole@lemmy.blahaj.zone 18 points 2 days ago

They're all screenshots from Detroit: Become Human

[–] nutsack@lemmy.dbzer0.com 12 points 2 days ago (1 children)

the only person who's allowed to verify my age is my cat because he won't stop being a dick about it

[–] Brkdncr@lemmy.world 8 points 2 days ago

I’d like to use your cat verification system too.

[–] supersquirrel@sopuli.xyz 31 points 3 days ago (5 children)

Fuck Discord

[–] theherk@lemmy.world 15 points 2 days ago

I agree, but fuck this dumb law first and foremost.

load more comments (4 replies)
[–] TheObviousSolution@lemmy.ca 15 points 2 days ago (2 children)

I've criticized the sort of personal information that is allowed to be managed by banking entities in the cases of Accidental Americans, where people who have nothing to do with America except that they were born in the US have their data handled by private entities to be passed onto governments they've never been in. Public entities that should handle and be responsible for it in their actual home countries want to wash their hands off from them and there's too much money against too small of a minority for anyone to care about their rights. It doesn't matter how banks have consistently proven that they or their staff can act criminally, either.

At least here, it affects a lot more people so it will likely bring in the change and reform it needs, even if the sensitivity of this data is significantly less.

Gonna have to say, this guy is definitely gonna be screwed by this:

[–] prole@lemmy.blahaj.zone 9 points 2 days ago

Keep on keeping on 👍

load more comments (1 replies)
[–] TommySoda@lemmy.world 36 points 3 days ago (1 children)

Oh no it's that thing everyone would say would happen!

load more comments (1 replies)
[–] avidamoeba@lemmy.ca 24 points 3 days ago

To the surprise of no one here. This is the first thing I think of when a system wants me to upload an ID.

load more comments
view more: next ›