Why were these images not encrypted, and why were they retained for longer than was necessary?
But honestly just delete them ASAP, that's the issue
The main thing encryption prevents is someone that steals a physical device getting access to the data inside. It doesn't do much about unauthorized access to live servers.
Generally it's done via accessing some 3rd party secret storage system where employees need to verify themselves to get access (eg. Vault, or AWS secrets or what have you)
z> nomilk 8 minutes ago | prev | next [–]
> The hacker claims an outsourced worker was compromised through a $500 bribe Also interesting:
> The hacker claims government IDs were just sitting there for months or even years... I have spoken to people familiar with Discord's Age Verification system, and they said after some period of time Discord will delete (the copies of IDs), but they should be deleting them the second they're done
Source (pinned comment, and 7m20s respectively): https://www.youtube.com/watch?v=NnuyT8FgSpA
reply
You want to have encryption, but I doubt their encryption or lack thereof has anything to do with this attack. Do we even have evidence the data wasn't encrypted?.
If someone gets access to a ticketing system they shouldn't have, talking about encryption is about as useful as talking about seatbelts. Important for general safety but irrelevant to the problem at hand.
it's stated in the article. In most cases they weren't, the data breach only affected people who disputed the result of their age verification.
Of course in principle Discord or any third party should never need any photographic identity themselves to begin with if countries would bother to implement a proper trusted identity system where the data stays with an authority and they simply sign off on requests. Like in South Korea or the eID features you have on most European national ID cards.
It’s a flawed design. No reason to retain the personal info for more than the processing time. Aka the duration of the dispute process itself (not the queue of disputes).
The principal engineer who signed it off should go to jail.
Aka, the system design was wrong. The buck has to stop somewhere. Somebody signed it off.
If you don’t hear back, even better, less private data to worry about.
I personally think doing ID verification of physical documents over the internet is just a non-starter. I've unfortunately had to support such systems for years at a time, and I'm thankful I don't do it anymore.
Indeed.
Saying this only affected disputes doesn't answer the question. It also makes it clear they knew deleting IDs was important, but did they not have proper deletion in their dispute system? If this was only new active disputes, I would expect discord to say so, but it sounds like the data in the leak goes back a lot further.
Indeed. But in the UK the only really loud voices against the porn age laws are also the same voices against the latest digital ID proposals.
It's logical to say "we don't need either of these two things".
But the status quo of ID verification of all kinds (for things like finance agreements, some online purchases, KYC, checking into some hotel chains if you're not the card holder who paid, etc.) is horrifying and involves uploading scans of paper documents. Every time someone says "I don't need a digital ID thanks" I ask them how many times they've let someone take a flatbed or photocopier scan of their passport or driving licence in real life (it's usually not zero) and then I ask them to explain to me how they would do that if it is online, and if they ever asked how long they are retained.
The absence of such means that there are few ways for people to verify their ages without handing over scans of their IDs to far too many organisations.
In the UK we do have one means to do this that is not widely used yet: since all mobile phone providers attempt to block adult content by default until the owner proves they are an adult (a pretty long-standing pre-existing child safety/parental control initiative by PAYG providers that has evolved to be standard across all contract types), the question of "can you prove you are 18" can now be delegated to the MNOs. But not all the age verification agencies are doing it.
Are they any safer? Roadblocks rarely stopped me as a kid. These kinds of impediments most often resulted in me strategically moving what I was doing to somewhere out of sight of the gatekeepers, most often resulting in less safety. Where do most kids learn to play with fire in modern society? in very very dangerous places.
He made a comment about how good orange peels smelled when you burned them. I leaned into this comment with curiosity and personal ignorance on the matter.
He said yeah and then looked around made the shush shush signal and leaned in, and invited me to do the same. He took an orange peel and brushed it across his opened lighter flame. Nobody caught us, and I smelled firsthand What he was talking about. Nobody got into trouble over this innocent demonstration. But for sure as hell you would have gone into trouble for this uncensioned demonstration of fire usage.
My kids had a honest conversation with me about possible Wikipedia ban and VPNs maybe a week in. Their classmates were already using it.
The hacker contacted some well known youtuber that talks about discord, they provided contents of support tickets of the YouTuber to prove they were really the hacker
Also interesting:
> The hacker claims government IDs were just sitting there for months or even years... I have spoken to people familiar with Discord's Age Verification system, and they said after some period of time Discord will delete (the copies of IDs), but they should be deleting them the second they're done
Source (pinned comment, and 7m20s respectively): https://www.youtube.com/watch?v=NnuyT8FgSpA
"Privacy."
[1] https://www.ibtimes.co.uk/british-councils-used-ripa-conduct...
[2] https://en.wikipedia.org/wiki/Investigatory_Powers_Act_2016#...
I already bought a vps in turkey and installed a vpn on it, cost 10€ a year but it's a small price to pay to not have his ID stolen.
dbg31415•4h ago
If parents don’t want their kids playing certain games, or if a community is more adult in nature, then don’t buy those games for them. If they don’t want their kids exposed to bad influences, they can move the computer into a shared space or—better yet—just engage with their kids on a human level. That’s called parenting.
Politicians shouldn’t be meddling in this kind of personal interaction. It didn’t work when Nancy Reagan or Tipper Gore tried to police music, and it’s not working now. Modern authoritarians are just running the same tired playbook.
Age verification doesn’t make kids safer. It adds bureaucracy, harvests private data, and pretends to solve a problem that only families can actually fix. The result is more surveillance, less trust, and the illusion of protection.
maccard•4h ago
> I don’t understand why we need age verification in Discord. Why should people who play games have to prove they’re old enough to talk to others? It’s not like anyone ever forced anybody else to join your Discord community, it’s all opt in!
Discord doesn't require age verirication for voice chat, it requires it for access to "sensitive media", or when yuo try to access a channel that has self opted in as age restricted [0].
[0] https://support.discord.com/hc/en-us/articles/30326565624343...
idle_zealot•3h ago
Broadly I agree. I think there is room for good regulation here, though. Specifically, a legal obligation to hook into parental control systems to enable effective parenting in our increasingly complex digital world. While it would be nice if everyone were individually responsible enough to put in the effort to figure out the specifics of what their kids might be exposed to and the control mechanisms available to them, realistically that's probably expecting too much. There's no perfect solution, but intervention focused on obligating (especially large) organizations to empower users and make safety easy to understand and act on is infinitely preferable to obligating companies to restrict and police their users.
debo_•3h ago
squigz•3h ago
debo_•2h ago
mulmen•1h ago
Channels have to opt in and participants have to follow the rules, right?
Isn’t the real issue that you don’t know and trust all the participants personally?
charcircuit•3h ago
mulmen•3h ago
awesome_dude•3h ago
For the record.
A law doesn't stop anything.
All a law does is says "If some behaviour meets definition X AND the state becomes aware of it, then consequence Y will be applied by the state"
The hope is that people will see that and make a choice that ensures that they aren't liable for the consequence.
It's also, like everything, as effective as the enforcement. If it's not enforced well, nobody will abide by it.
mulmen•1h ago
Might be applied, and the terms are negotiable.