top | item 45469904

(no title)

jml7c5 | 4 months ago

Per Discord's press release, it appears only a small subset of photo IDs were leaked:

>The unauthorized party also gained access to a small number of government ID images (e.g., driver’s license, passport) from users who had appealed an age determination.

https://discord.com/press-releases/update-on-security-incide...

discuss

chatmasta|4 months ago

You seem to be reading the press release language exactly as they'd like you to read it.

Users only upload their government ID to Discord when the "Face Scan" [0] incorrectly estimates their age as being less than 18. Discord could reasonably classify this as a "small number" of users who need to upload their government ID image. That wouldn't preclude it from also being every user who needs to upload their government ID image — unless there is some other system that also requires them to upload it?

With that in mind, here's a rephrasing of the same statement:

> The unauthorized party also gained access to all uploaded government ID images.

Their press release does NOT say it's a small subset of photo IDs. It says a "small number" of government ID images — nothing about percentages. This would be consistent with the "small number" of users who need/choose to appeal an incorrect age estimation from Face Scan.

[0] https://support.discord.com/hc/en-us/articles/30326565624343...

rpdillon|4 months ago

This comment is a fantastic study on how to adversarially read press releases like this. I suspect it's exactly correct: likely all photo IDs were leaked, but they decided to cast it as a small number by implicitly comparing it to the number of all Discord users. I guess we'll have to wait and see if that's actually correct. We may never find out.

sevenseacat|4 months ago

There are two options for verifying your age on Discord - face scan OR uploading government ID. So some people may have uploaded their ID instead of doing the face scanning, for whatever reason.

squigz|4 months ago

I'm not sure why this is being downvoted. Commenter is entirely correct. If someone has an answer to their question that would add credibility to Discord's phrasing and GP's interpretation, I'm all ears, but otherwise it does seem like this is the case, and every ID they've collected has been leaked, not a subset.

(To say nothing of... does it matter the amount of IDs leaked?)

hn773746483|4 months ago

If a message like "I'm 12", regardless of context is reported, Discord will ban the account & hold it hostage until user sends selfie + ID to them via support. (the compromised portal, not a third party app dedicated to this)

They intentionally chose NOT to disclose a date range or even how many ID tickets compared to standard tickets were leaked.

BoredPositron|4 months ago

Not going to defend discord here, I hate them with a passion but COPPA violations have the potential to kill your company.