This article reports on a significant data breach at Discord affecting approximately 70,000 users whose government-issued identification documents were exposed via a compromised third-party customer service provider. The reporting documents a serious privacy violation (Article 12), presents Discord's official response and denial of exaggerated breach claims, and notes cooperation with law enforcement and data protection authorities. The coverage is measured and well-sourced but gives no direct voice to affected users, only to the corporation and law enforcement.
> Discord has identified approximately 70,000 users that may have had their government ID photos exposed as part of a customer service data breach announced last week, spokesperson Nu Wexler tells The Verge.
Then a big PR quote, letting a potential wrongdoer further spin it.
Then closing with:
> In its announcement last week, Discord said that information like names, usernames, emails, the last four digits of credit cards, and IP addresses also may have been impacted by the breach.
This is awful corporate PR language, not journalism, on a big story about probable corporate negligence resulting in harm to tens of thousands people.
Here's the bare minimum kind of lede I expect on this reporting:
Discord may have leaked sensitive personal information about 70,000 users -- including (but not necessarily limited to) government IDs, names, usernames, email addresses, last 4 digits of SSN, and IP addresses.
I don't know if I just became cynical and jaded, but is this really surprising to anyone in any way? Any time I give out my personal information to anyone for any reason, I basically treat it as 'any member of public can now access it'.
Even if a service doesn't have it in their TOS that they sell it to 3rd parties, they might do it anyway, or there will, sooner or later, be a breach of their poorly secured system.
To make it clear - I don't particularly blame any one corporation, this is a systemic issue of governments not having/not enforcing serious security measures. I just completely dropped the expectation of my information being private, and for the very few bits that I do actually want to stay private, I just don't, or allow anyone to, digitalize or reproduce them at all in any way.
I didn't feel comfortable giving discord my phone number when they demanded it, so I lost access to the open source communities that insist on collaborating there.
I wish breaches like this would cause people to reconsider their choices but sadly, it's unlikely most users will move.
Companies usually promise that the ID would be used only for validation and then immediately deleted. How so many IDs could leak then? They verify millions of IDs per month?
Discord uses Zendesk (1). However in the press release they don't name the third party that was compromised, and Zendesk denies that it was their service.
What other third party was Discord using if not Zendesk? Who's reputation are they protecting?
One important problem that's mostly ignored is the lack of transparency about the third-party providers handling such sensitive ID documents. When a breach occurs, public statements rarely name the exact vendor responsible, making it difficult for affected users to understand who actually had access and who might still have their data. This opacity delays accountability and creates ongoing risks, since users have no meaningful way to audit or assess the practices of these shadow providers. Unless this layer of the data-handling ecosystem is discussed and regulated, future breaches will remain inevitable and largely untraceable.
The whole "it wasn't us, it was our third-party vendor" line is getting way too common. If you're collecting government IDs for age verification, the security bar should be extremely high... no matter who's handling the data
ID checks, driven by prudishness, are an absolute gift to the big social media companies. They're the only entities whom (a) already know the check's answers, and (b) have the resources to keep hackers largely at bay.
I am not surprised these laws are landing with such little resistence.
Every time I see a data breach caused by a third party vendor, I can't help but wonder why are these big companies so deeply reliant on outsourcing, yet so lax when it comes to controlling security?
The one approach that has never failed is to use a fake identity when signing up for online services. It is a violation of TOS but not a crime to do so. Only give your real information to the government. If companyX requires hard information but cannot protect this PII, then they don't deserve real data.
GDPR requires data minimalism and ~use case binding so if you submit data for age verification there is no technical reason to keep it after knowing your age so you _have to_ delete it.
Just a guess, but they may store the original ID card to audit duplicate accounts.
If their machine learning models, think that two people are the exact same, having the original image, especially a photo of the same ID card could confirm that.
That is the bonkers thing about this story. Why take on the liability? Get what you need and toss the responsibility. If you must store it (which seems unlikely) put that extra-bad-if-leaked information behind a separate append only service for which read is heavily restricted.
The issue is if you don't enforce the phone number requirement on your server you get all the trolls who don't use phone numbered accounts. I wish Discord would allow you to restrict known VPNs instead of requiring phone numbers. It would solve so many issues. I know a LOT of VPNs wont be caught, but if you block MOST non-residential IP blocks, you'll capture a lot of them.
It is specifically because you got banned for "being under 13" it comes from someone asking a question like "How many candles in this photo?" then you reply "7" then they edit the message to say "How old are you" and voila, underage ban.
What you are overlooking is that Discord is the new MSN Messenger, YIM, etc your friends are not backed up in a meaningful way, nor the servers you're in, if you lose your account, you lose contact with basically your entire internet life and friends.
Discord should not keep those IDs longer than a month at a time once the user is unbanned it should be deleted a week later, or removed from that panel altogether.
Discord doesn’t require a phone number. It’s individual community owners who opt to require it. You can create a server that doesn’t require one but it effectively means you can’t ban people since they can just sign up again on a new account.
> Discord may have leaked sensitive personal information about 70,000 users -- including (but not necessarily limited to) government IDs, names, usernames, email addresses, last 4 digits of SSN, and IP addresses.
Credit card numbers are not SSNs, and I can't fathom why Discord would have the latter (I certainly never gave them any government ID either). Not to mention, "last 4 digits" of a credit card number will commonly appear on, for example, store receipts that people commonly just leave behind. Usernames can hardly be called sensitive information, either. The point is all the other stuff being tied to the username.
No need to blame the user for the companies actions.
Company enacts policy enforced on them by law, for example requiring proof that a user is above the age of 18 to be able to use a channel where other users may use naughty words (The Horror!!!).
User struggles to use the automated age check system (I used the "guess age by letting an AI have a look at a selfie" method and it was a pain in the ass which failed twice before it finally worked) so does what is recommended and make a support ticket. [0]
User, relying on the published policy that Discord will delete ID directly after being used to to the age check [1] decides they wish to remain to have communication with their online friends uploads their ID.
Discord then fail to honour their end of the deal by deleting their users documents after use, and then get breached.
Full blame is on Discord for poorly handling their users data by their 3rd parties, and on the Governments forcing such practices. Discord should have their asses handed to them by the UK's ICO.
Sure, us geeks can and will use self hosted systems and find ways to avoid doing ID checks, but your avg joe isn't going to do that.
Hopefully cases like this will help with the push back on governments mandating these kind of checks, but I see the UK government just falling back to "think of the children" and laying all the blame on Discord, (who are not without fault in this case).
I’m in a different industry, but when I’ve had to collect identification for reasons we extracted metadata at the time of presentation, validated it, and discarded the image.
We would never get clearance from counsel to store that in most scenarios, and I can’t think of a reason to justify it for a age or name verification.
A bunch of UK users are blocked from the more "free speech" (over 13) channels unless they prove their identity to Discord, to comply with the Online Safety Act.
I also wish open-source communities would move off of Discord for another reason: Users are limited to joining a maximum of 100 servers.
I've hit the cap and it's driving me crazy. It's really easy to hit it since each friend group, hobby group, gaming community, and open-source community often all have their own servers.
Do they actually say in the TOS that they will delete them? If they do, do they say immediately? How immediately? Right away or, perhaps, 1 month? Unless specified in contractual documentation, words like "immediately" or "soon" do not have any single definition, which allows them to stretch it without technically being in breach of contract. Not to mention that often times, governments mandate data retention for so-and-so amount of time, so the companies are legally required in such cases to keep the data even if they, miraculously, desire not to.
I can still swipe the message away, so I haven't done it yet. I'm going to work out how I can fake the face scan. I ain't sending Government ID to some chat app (no matter how big or small) that's over the top.
As an aside, I would have thought the age groups should be: 13 to 18, and 18+. They're the only ones that materially matter to the reason this check exists, in Australia at least. I don't want to contribute to their demographic analysis.
The unauthorized party also accessed a “small number” of images of government IDs from “users who had appealed an age determination.”
It makes sense they have to hang on to the ID in case of processing an appeal, which probably doesn't have the highest priority and hence stretches out in time.
Why are people assuming they did store it after the process was completed?
With the relatively low number leaked here it could have been information collected actively during an ongoing breach, not a dump of some permanent database.
ZK proofs for identity can't go mainstream quick enough. I agree with what you're saying completely. It's frustrating that we have the technology now to verify aspects of someone's identity without revealing it, but that it's going to take forever to become robust enough for mainstream use.
It's not surprising because there's never been a significant penalty for it, I guess because everybody just got completely used to massive breaches without much reaction. But then again it's very hard to get legislation passed that's not in the interests of big business.
It is a common misconception that facts are reported because they are surprising. Facts are reported because they are important. More and more governments are passing age verification laws which put exactly this data in to the hands of even more shady private companies. This breach serves as evidence that those laws are misguided, and spreading news of this event may help build public support for those efforts.
What's wild is that the burden keeps falling on individuals to be ultra-cautious, while the systems handling the data rarely face meaningful consequences
> I don't particularly blame any one corporation, this is a systemic issue of governments not having/not enforcing serious security measures
Wrong, governments caused the issue because they demand customers to ID themselves. There exists not a single viable security measure aside from not collecting the data. Government is also not able to propose any security measures.
Unlikely that the data will ever be deleted now, no matter if Discord pays any ransoms or not.
The third-party layer is basically the dark matter of data breaches like invisible to users, barely acknowledged by companies, and completely unaccountable when things go wrong
As far as I have heard zero knowledge proofs have become optional (thus dead) in the EU wallet specification. I expect selective disclosure in all form to be completely axed next.
Editorial Channel
What the content says
+0.60
Article 12Privacy
High Coverage
Editorial
+0.60
SETL
+0.49
This is the core article implicated. The article thoroughly documents unauthorized disclosure of private identity documents and treats privacy violation as a serious human rights matter. Specifies multiple categories of exposed personal data and emphasizes user notification.
FW Ratio: 57%
Observable Facts
The headline and lead emphasize government IDs as the primary category of exposed data.
The article details specific private data types: 'names, usernames, emails, the last four digits of credit cards, and IP addresses.'
Discord confirms 'All affected users globally have been contacted.'
The article traces the breach to a 'third-party customer service provider' (Zendesk instance).
Inferences
The article treats privacy violation as a serious human rights concern by leading with identity document exposure and detailed enumeration of compromised data.
The emphasis on user notification reflects recognition that affected individuals have a right to know about violations of their privacy.
The professional, serious tone suggests the article recognizes privacy as a fundamental right requiring institutional protection.
+0.40
Article 3Life, Liberty, Security
High Coverage
Editorial
+0.40
SETL
+0.35
The article documents a major threat to personal security through identity theft risk; reports concrete types of compromised data and protective responses.
FW Ratio: 60%
Observable Facts
The article states 70,000 users 'may have had their government ID photos exposed.'
Discord reports specific types of compromised data: 'names, usernames, emails, the last four digits of credit cards, and IP addresses.'
Discord states it continues 'to work closely with law enforcement, data protection authorities, and external security experts.'
Inferences
The article recognizes identity exposure as creating concrete security threats to person through identity theft and fraud.
The detailed reporting of law enforcement coordination frames personal security as requiring institutional protection.
+0.20
PreamblePreamble
Low Coverage
Editorial
+0.20
SETL
+0.14
Article documents a serious breach affecting human dignity through unauthorized exposure of identity documents; treats the incident with appropriate gravity.
FW Ratio: 50%
Observable Facts
The article reports approximately 70,000 Discord users had government-issued identification documents exposed.
The report treats identity document exposure as a serious security incident requiring law enforcement involvement.
Inferences
The article recognizes identity document protection as integral to human dignity by emphasizing the incident's seriousness.
Professional journalistic treatment suggests recognition that unauthorized personal disclosure violates dignity.
+0.20
Article 6Legal Personhood
Low Coverage
Editorial
+0.20
SETL
+0.20
The article documents exposure of government-issued documents that are instruments of legal recognition and identity status.
FW Ratio: 50%
Observable Facts
The article emphasizes 'government-ID photos' as the primary exposure category.
Discord's statement references 'age-related appeals' processed using these documents, indicating official legal use.
Inferences
The focus on government IDs specifically treats these documents as having special legal and official significance.
The exposure of documents used in formal appeals suggests recognition that these are instruments of legal recognition.
+0.20
Article 13Freedom of Movement
Low Coverage
Editorial
+0.20
SETL
+0.20
Government ID exposure creates potential for tracking and restriction of movement; article documents this indirectly through identity theft risk.
FW Ratio: 50%
Observable Facts
Government-issued identification documents are instruments used to track and document individuals' movement across borders and jurisdictions.
Inferences
The article's focus on ID document exposure implicitly addresses freedom of movement by documenting exposure of documents used to control movement.
+0.20
Article 29Duties to Community
Medium Coverage
Editorial
+0.20
SETL
+0.20
The article documents Discord's failure in its duty to protect user data; treats this corporate accountability seriously.
FW Ratio: 50%
Observable Facts
Discord states 'We take our responsibility to protect your personal data seriously.'
The company 'ended work with the compromised vendor' in response to the duty failure.
Inferences
The article frames data protection as a corporate duty owed to users, suggesting recognition of mutual responsibility for rights protection.
The treatment of vendor termination as a necessary response suggests recognition that rights violations require accountability.
+0.10
Article 8Right to Remedy
Low Coverage
Editorial
+0.10
SETL
+0.10
Article mentions law enforcement and data protection authority involvement, implying access to remedial institutions.
FW Ratio: 50%
Observable Facts
Discord states it works 'closely with law enforcement, data protection authorities, and external security experts.'
Inferences
The report of law enforcement involvement suggests affected users have access to remedial pathways through competent institutions.
+0.10
Article 14Asylum
Low Coverage
Editorial
+0.10
SETL
+0.10
Age verification photos and government IDs could relate to asylum status documentation; exposure could endanger vulnerable populations seeking asylum.
FW Ratio: 50%
Observable Facts
Discord's statement mentions 'age-related appeals' were processed using the exposed documents.
Inferences
Individuals seeking asylum may have used age verification processes; exposure of their identity documents could put vulnerable people at risk of persecution.
+0.10
Article 15Nationality
Low Coverage
Editorial
+0.10
SETL
+0.10
Government-issued identification documents are instruments through which nationality is recorded and proven to state authorities.
FW Ratio: 50%
Observable Facts
The article focuses on 'government-ID photos' as the primary exposure category.
Inferences
Identity documents are legal instruments of nationality; their exposure affects the security of nationality status and legal recognition.
+0.10
Article 19Freedom of Expression
Low Coverage Practice
Editorial
+0.10
SETL
-0.09
The article itself is an exercise of freedom of the press in reporting publicly important information about corporate misconduct and security failure.
FW Ratio: 60%
Observable Facts
The article is published under clear byline with author name, title, and timestamp.
A comments section is enabled for reader response and engagement.
The article is freely accessible without subscription or authentication barriers.
Inferences
The article practices freedom of expression by reporting on corporate security failure without apparent censorship or corporate pressure.
The accessible format and comment section structure enable readers to participate in public discourse about privacy violations.
+0.10
Article 21Political Participation
Low Coverage
Editorial
+0.10
SETL
+0.10
Government IDs are used in electoral processes; their exposure could affect voting security and electoral rights.
FW Ratio: 50%
Observable Facts
Government-issued IDs are primary documents used for voter authentication in most democracies.
Inferences
Exposure of government IDs creates an indirect threat to electoral security and voting rights protection.
+0.10
Article 28Social & International Order
Low Coverage
Editorial
+0.10
SETL
+0.10
The article documents a systemic failure in vendor oversight that prevented full realization of privacy rights.
FW Ratio: 50%
Observable Facts
Discord ended work with the compromised vendor and secured affected systems in response.
Inferences
The article documents a systemic failure requiring institutional response to protect rights and prevent recurrence.
0.00
Article 11Presumption of Innocence
Low
Editorial
0.00
SETL
ND
Article presents Discord's statement defending against breach claims without presuming guilt; factual dispute reported neutrally.
FW Ratio: 50%
Observable Facts
Discord's statement claims 'the numbers being shared are incorrect and part of an attempt to extort a payment.'
Inferences
The article presents the factual dispute between Discord and attackers without presuming innocence or guilt of either party.
ND
Article 1Freedom, Equality, Brotherhood
Not addressed.
ND
Article 2Non-Discrimination
Not addressed.
ND
Article 4No Slavery
Not addressed.
ND
Article 5No Torture
Not addressed.
ND
Article 7Equality Before Law
Not addressed.
ND
Article 9No Arbitrary Detention
Not addressed.
ND
Article 10Fair Hearing
Not addressed.
ND
Article 16Marriage & Family
Not addressed.
ND
Article 17Property
Not addressed.
ND
Article 18Freedom of Thought
Not addressed.
ND
Article 20Assembly & Association
Not addressed.
ND
Article 22Social Security
Not addressed.
ND
Article 23Work & Equal Pay
Not addressed.
ND
Article 24Rest & Leisure
Not addressed.
ND
Article 25Standard of Living
Not addressed.
ND
Article 26Education
Not addressed.
ND
Article 27Cultural Participation
Not addressed.
ND
Article 30No Destruction of Rights
Not addressed.
Structural Channel
What the site does
+0.20
Article 12Privacy
High Coverage
Structural
+0.20
Context Modifier
ND
SETL
+0.49
Article is freely accessible without privacy-invasive paywalls; professional standards applied; comments enabled for reader engagement; however, site likely includes general analytics tracking.
+0.15
Article 19Freedom of Expression
Low Coverage Practice
Structural
+0.15
Context Modifier
ND
SETL
-0.09
Site enables freedom of expression through bylined articles, public comment sections, and free access to content; professional structure supports public discourse.
+0.10
PreamblePreamble
Low Coverage
Structural
+0.10
Context Modifier
ND
SETL
+0.14
Free, professional news structure allows distribution of information about dignity violations; no apparent structural barriers.
+0.10
Article 3Life, Liberty, Security
High Coverage
Structural
+0.10
Context Modifier
ND
SETL
+0.35
Article is accessible and functional; does not compromise user security through site structure.
0.00
Article 6Legal Personhood
Low Coverage
Structural
0.00
Context Modifier
ND
SETL
+0.20
Not specific to structural implications.
0.00
Article 8Right to Remedy
Low Coverage
Structural
0.00
Context Modifier
ND
SETL
+0.10
Not specific to structural implications.
0.00
Article 11Presumption of Innocence
Low
Structural
0.00
Context Modifier
ND
SETL
ND
Not specific to structural implications.
0.00
Article 13Freedom of Movement
Low Coverage
Structural
0.00
Context Modifier
ND
SETL
+0.20
Not specific to structural implications.
0.00
Article 14Asylum
Low Coverage
Structural
0.00
Context Modifier
ND
SETL
+0.10
Not specific to structural implications.
0.00
Article 15Nationality
Low Coverage
Structural
0.00
Context Modifier
ND
SETL
+0.10
Not specific to structural implications.
0.00
Article 21Political Participation
Low Coverage
Structural
0.00
Context Modifier
ND
SETL
+0.10
Not specific to structural implications.
0.00
Article 28Social & International Order
Low Coverage
Structural
0.00
Context Modifier
ND
SETL
+0.10
Not specific to structural implications.
0.00
Article 29Duties to Community
Medium Coverage
Structural
0.00
Context Modifier
ND
SETL
+0.20
Not specific to structural implications.
ND
Article 1Freedom, Equality, Brotherhood
Not applicable.
ND
Article 2Non-Discrimination
Not applicable.
ND
Article 4No Slavery
Not applicable.
ND
Article 5No Torture
Not applicable.
ND
Article 7Equality Before Law
Not applicable.
ND
Article 9No Arbitrary Detention
Not applicable.
ND
Article 10Fair Hearing
Not applicable.
ND
Article 16Marriage & Family
Not applicable.
ND
Article 17Property
Not applicable.
ND
Article 18Freedom of Thought
Not applicable.
ND
Article 20Assembly & Association
Not applicable.
ND
Article 22Social Security
Not applicable.
ND
Article 23Work & Equal Pay
Not applicable.
ND
Article 24Rest & Leisure
Not applicable.
ND
Article 25Standard of Living
Not applicable.
ND
Article 26Education
Not applicable.
ND
Article 27Cultural Participation
Not applicable.
ND
Article 30No Destruction of Rights
Not applicable.
Supplementary Signals
How this content communicates, beyond directional lean. Learn more
The article accepts Discord's characterization that attackers are spreading 'inaccurate information' without independently verifying the scope or accuracy of competing breach claims.
build b3ef88d+do1d · deployed 2026-02-28 14:37 UTC · evaluated 2026-02-28 14:28:40 UTC
Support HN HRCB
Each evaluation uses real API credits. HN HRCB runs on donations — no ads, no paywalls.
If you find it useful, please consider helping keep it running.