It has been a few months since the UK Government laid down new rules that forced social media operating in the UK to bring in age verification measures. Though the new rules were designed to protect children from encountering harmful content, many cybersecurity experts and privacy advocates warned that there could be unintended consequences. Those dire warnings are now coming true, with news of a data breach at Discord.
Despite being started as a small company, Discord rapidly grew in popularity amongst PC gaming fans. The app now holds a solid 90 percent market share in the video game communication market. This has forced the company to grow rapidly. With so many customers, and many of them being under 18, securing customer data should be a high priority for Discord.
Pressures of rapid growth forced it to rely heavily on external third-party contractors for areas such as customer support, and even the Trust and Safety Team. According to the statement released by Discord to its users, one of these third-party contractors was a vector that allowed hackers to gain access to a great deal of private customer information.
Information obtained included email addresses, real names, partial bank card and billing information. Some users who had provided scans of government-issued ID for age verification were also affected. Fortunately, passwords, full bank card information and residential addresses do not seem to have been captured in the hack. Affected users will receive an email from an official ‘noreply@discord.com’ email which will include information on what personal data was obtained, and what to do next.
The third-party company who became the vector for the attack has had its access to Discord systems removed, and Discord has already launched a full investigation into the incident. The blog post from Discord staff highlights a commitment to safety and security and emphasis that a review of its threat detection system is underway to prevent a reoccurrence.
Overall, the attack could have been a lot worse, but this incident only highlights how vulnerable personal data is. With age verification mandates become more common not just in the UK but in the USA and Europe, it is very likely that something similar, or worse, will happen again.
