The Guardian dutifully reports the inevitable:
Proof-of-age ID leaked in Discord data breach
Video game chat platform Discord has suffered a data breach, informing users that their personal information – including identity documents of those required to prove their age – were compromised.
The company stated last week that an unauthorised party had compromised one of Discord’s third-party customer service providers, leading to the access of “a limited number of users” who had been in contact with the customer service or trust and safety teams.
The data compromised may have included usernames, email, billing information, the last four digits of credit card numbers, IP addresses and messages with customer support.
Discord said the alleged attacker “also gained access to a small number of government ID images (eg driving licence, passport) from users who had appealed an age determination.
[…]
Discord began using facial age assurance to check the age for users in the UK and Australia earlier this year. The company said facial images and ID images “are deleted directly after” ages are confirmed, but Discord’s website noted that if verification fails, users can contact the trust and safety team for a manual review.
Under the under 16s social media ban to come into effect on 10 December, the Australian government has outlined that it expects platforms such as Discord – which is one of the platforms that has been asked to assess if it is required to comply – should have multiple options for assessing a user’s age, and a way for them to quickly appeal an adverse decision.
Platforms can ask for ID documents as part of the age assurance scheme, but it cannot be the sole method of age assurance offered by the platforms under the policy.
In other words, the reason why users from the UK and Australia have been affected in particular is because the UK’s Online Safety Act and Australia’s upcoming ban on under-16s using social media oblige users in those countries to verify their age by giving identifying information to social media companies. The first means of age verification is facial recognition software, but if that doesn’t work, as it frequently doesn’t, the user must give the social media company identifying information such as their username, their email address, their billing information, the last four digits of their credit card number, etc. Which then gets stolen. This procedure is called “keeping people safe online”.
Yes indeed.