Comment by accrual
16 days ago
Here's the October 2025 Discord data breach mentioned at the end of the article:
https://www.bbc.com/news/articles/c8jmzd972leo
> Discord, a messaging platform popular with gamers, says official ID photos of around 70,000 users have potentially been leaked after a cyber-attack.
However, their senior director states in this Verge article:
> The ID is immediately deleted. We do not keep any information around like your name, the city that you live in, if you used a birth certificate or something else, any of that information.
Why they didn't do that the first time?
> The ID is immediately deleted. We do not keep any information around like your name, the city that you live in, if you used a birth certificate or something else, any of that information.
This is also contradicted by what Discord actually says:
> Quick deletion: Identity documents submitted to our vendor partners are deleted quickly— in most cases, immediately after age confirmation.
What are the non-most cases?
Also, _Discord_ deleting them is really only half the battle; random vendors deleting them remains an issue.
Not to mention collecting them at all means those servers are a primo location for state actors to stage themselves to make copies of data before being deleted.
To say nothing of insider threats of which likely exist across every major social media platform in service to foreign govs.
14 replies →
> Also, _Discord_ deleting them is really only half the battle; random vendors deleting them remains an issue.
This really is the issue. Of the 5 or so data breach notifications I received last year, none are from an entity I have a direct relationship with. They're all from a vendor used directly or indirectly by these entities.
The real answer is more serious penalties for having data breaches. Having 6 concurrent "identity monitoring" services is of zero value to me.
Vendors like that would be in deep GDPR shit if they claim to not store highly sensitive data and then do in fact store highly sensitive data.
Generally the GDPR is not rigorously enforced, but when it comes to sensitive data like face scans, IDs, medical data etc. the hammer comes down a lot swifter and harder.
1 reply →
"We delete them immediately after we have sold them to our 579 parters"
Weird that I have to get a list of all the cookie vendors that know I visit a website to show me an ad about something I already bought but the guys with my ID don't need to be listed.
5 replies →
Well since you have these IDs, for national security (AML, criminals and whatnot), we will need you to keep them if our endpoint says so, here's the endpoint
How can we even confirm that they are actually deleting them. Trust me bro vibe
Imagine the neural network you could train over such a large dataset of ID's so when you pay your bills or do the flight check-in you avoid the hassle of manually inputting the data yourself? Ah, yes, we have that already.
>"Identity documents submitted to our vendor partners"..
Yeah, say goodbye to those the privacy and safety of those documents.
Since when the city one lives in is mentioned in the birth certificate?
It was only one example they gave, and they accept multiple different types of ID; a driver's license or national ID card being other likely ones, and DLs do say where you live.
27 replies →
> The ID is immediately deleted. We do not keep any information around like your name, the city that you live in, if you used a birth certificate or something else, any of that information.
Everyone says this, including the TSA. But they never say they don't keep a hash, or an eigenvector of your biometric. Which is equally as important.
They also never say it goes through datacenters in room 641A or though Utah before it's "deleted", because it's a US company and they can't refuse that.
In case someone is unaware, 641A and Utah and both references to the US mass surveillance systems in this context. Specifically interceptors that a company wouldn't be able to prevent from saving your data for the few seconds they need to process and delete it
6 replies →
> We do not keep any information around like your name
But they might be sending a copy to the NSA, similarly to how Alphabet, Yahoo, Apple, Meta etc. have been doing (PRISM program, part of the Snowden revelation [1]). The US has the legal mechanisms of requiring this to happen, secretly, such as NSLs [2].
[1] : https://en.wikipedia.org/wiki/PRISM
[2] : https://en.wikipedia.org/wiki/National_security_letter
I bet the NSA does not even require their cooperation. They are probably already inside their systems.
And do they really actually delete it this time?
I have it on good authority that they really truly delete it this time, super duper pinky promise
Once it's out there the only assumption that holds is no trust, and therefore all bets are off.
I believe the original finding was that they were not deleting IDs that were involved in disputes.
> The ID is immediately deleted.
I call it bollocks. Likely they have to keep it for audit and other purposes.
"delete" doesn't mean delete anymore, like you say, there are always audit logs, and there is "soft" deleting.
Expect any claims that things are being deleted to be a bold faced lie.
We deleted it from someplace. It's not our fault we have more places!
They wouldn't _have to_, audit checks if you stick to law, your own policies and such, but I think they will.
So how do they prove they actually checked someone's age?
2 replies →
>Why they didn't do that the first time?
The company they hired to do the support tickets archived them, including attachments, rather than deleting them.
Ah sorry our contractor did all that highly illegal stuff. Too bad we can't pierce the corporate veil anymore... shucks.
Ah, so it was the "staffer" excuse.
rogue engineer
How convenient.
Until we have some kind of "One Time ID Verification" service that would work, the ID will never be deleted. Or a hash of the info or some kind of identifiable info.
Humm yeah, like a government digital ID of some sort. Except people go mental about that, so sending scanned copies of my personal ID documents to every bank/solicitor/estate agent/mortgage broker/random internet service it is then...
Or if they don't need your ID.
They're a nonsense company, and trusting them with any information is foolish. They'll store everything and anything, because data is valuable, and won't delete anything unless legally compelled to and held accountable by third party independent verification. This is the default.
The purpose of things is what they do. They're an adtech user data collection company, they're not a user information securing company.
They explained it in their announcement at https://discord.com/press-releases/update-on-security-incide...
TL;DR: The IDs were used in age-related appeals. If someone's account was banned for being too young they have to submit an ID as part of the appeal. Appeals take time to process and review.
Discord has 200,000,000 users and age verification happens a lot due to the number of young users and different countries.
This is corporate cover speak for “we keep all data”
Yeaaah, nope.
GDPR is no joke and storing people’s actual ID card photos is a gigantic liability. Companies treat that stuff like it’s toxic waste, they want to get rid of it as fast as possible and permanently.
5 replies →
Why should we suspect the age verification and age-related appeals would involve different teams or processes?
Age verification is done by an iframe to k-id.com.
Appeals are done in the actual Discord ticketing system.
Appeals are like escalations. They bypass automations and move to manual review.
Uh... EVERYONE with a Discord account has to go through age-related appeals now. That's what the announcement is.
Sigh, I guess it's time to move platforms again or get your identity stolen. The more a company makes a fuss about trusting users, the more likely they store all of their shit in plaintext with vibe coded server security.
Deleted from some location or purged from their entire system?
> We do not keep any information around
... "around"
Compliance
Liars…
[dead]