These were photos submitted via the compromised support provider (Zendesk) via the Discord support portal.
Automated age verification via their partner (k-ID, which has its own issues) is a separate system, which was only available to some users. Other users had to contact Discord support manually and submit photo ID, which went through Zendesk, which was then compromised in this breach.
Additionally, for the automated process, it’s the video selfie that’s on-device and never transmitted, but photos of your ID and selfie photo are transmitted, just supposedly deleted afterwards. Those ones are *not included in this breach, as far as we’re aware, as it’s an entirely different third-party with wholly separate infrastructure.
Which is why you farm off stuff like this to third parties whenever possible
DiscordCorp will get a slap on the wrist and give people an offer of a free six months of discord turbo (so long as you provide payment info so it can auto-renew on month seven).
But ANY meaningful consequences will go toward Zendesk Corp for not doing what they were supposed to. And… then everyone will just use ZZendesk instead
Well, yeah. Discord isn’t exactly at fault here, they’re operating as best they can within the boundaries of a piece of legislation that could be best described as gods gift to the “I-told-you-so” crowd. This breach is exactly what everyone was warning would happen with the UK ID laws, and discord got stung first as they’re one of the few companies trying to adhere to the law in good faith (which, yes, why in hell they’re trying to do this is good faith is a very good question)
Here’s the information directly from the FAQ as of right now:
Q: Is my data stored when I use Face Scan or Scan ID verification?
A: Discord and k-ID do not permanently store personal identity documents or your video selfies. The image of your identity document and the ID face match selfie are deleted directly after your age group is confirmed, and the video selfie used for facial age estimation never leaves your device.
So, I looked at age verification - it was made clear photos were on device only and never transmitted.
If this turns out to be false, then the legal fallout would be apocalyptic.
These were photos submitted via the compromised support provider (Zendesk) via the Discord support portal.
Automated age verification via their partner (k-ID, which has its own issues) is a separate system, which was only available to some users. Other users had to contact Discord support manually and submit photo ID, which went through Zendesk, which was then compromised in this breach.
https://support.discord.com/hc/en-us/articles/360041820932-Help-I-m-old-enough-to-use-Discord-in-my-country-but-I-got-locked-out
Additionally, for the automated process, it’s the video selfie that’s on-device and never transmitted, but photos of your ID and selfie photo are transmitted, just supposedly deleted afterwards. Those ones are *not included in this breach, as far as we’re aware, as it’s an entirely different third-party with wholly separate infrastructure.
Which is why you farm off stuff like this to third parties whenever possible
DiscordCorp will get a slap on the wrist and give people an offer of a free six months of discord turbo (so long as you provide payment info so it can auto-renew on month seven).
But ANY meaningful consequences will go toward Zendesk Corp for not doing what they were supposed to. And… then everyone will just use ZZendesk instead
Well, yeah. Discord isn’t exactly at fault here, they’re operating as best they can within the boundaries of a piece of legislation that could be best described as gods gift to the “I-told-you-so” crowd. This breach is exactly what everyone was warning would happen with the UK ID laws, and discord got stung first as they’re one of the few companies trying to adhere to the law in good faith (which, yes, why in hell they’re trying to do this is good faith is a very good question)
Here’s the information directly from the FAQ as of right now:
That sounds like the video stays on your device but the photos do not.
Big company lies again what a big surprise
Where is that small print? It should be archived before Discord tries to change it.
https://support.discord.com/hc/en-us/articles/30326565624343-How-to-Complete-Age-Verification-on-Discord
Check down on data security ;)
Looks like it’s already been archived: https://web.archive.org/web/20250930051220/https://support.discord.com/hc/en-us/articles/30326565624343-How-to-Complete-Age-Verification-on-Discord
It’s also here:
https://archive.is/FBqo5
Idk it doesn’t seem like there are any legal consequences for tech companies anymore.