Skip to main content

mastodon - Link to source

Oh look: #discord outsourced their age verification to some vendor. You know, the #ageverification that countries like the UK want to make mandatory for basically every online service. And the vendor had a data breach exposing photos of government IDs for 70,000 people.

Do you feel safer? How many children did we protect by exposing the IDs of these 70,000 (presumably) adults? Thanks for taking one for the team, you 70,000 canaries in the #privacy coal mine.

discord.com/press-releases/upd…


Update on a Security Incident Involving Third-Party Customer Service | Discord

At Discord, protecting the privacy and security of our users is a top priority. That’s why it’s important to us that we’re transparent with them about events that impact their personal information.
discord.com
#privacy #discord #ageverification

reshared this

in reply to Paco Hope

Kerfuffle
mastodon - Link to source
Kerfuffle
Worth highlighting that Discord did disclose the fact that it happened, what was impacted, and who was impacted, and also shows some awareness of what sensitive data to keep separate from other that may be involved in customer service communication. The vendor in question is 5CA, and they also blogged about the incident: 5ca.com/blog/holding-statement…

Holding statement regarding Security Incident

We are aware of a recent security incident. Learn how 5CA is responding and protecting client and community data.
Kimberly (5CA)
in reply to Kerfuffle

Paco Hope
mastodon - Link to source
Paco Hope
Is it worth highlighting? I mean, admitting that it happened is surely the lowest possible expectation. Do we pat them on the back and give them a participation trophy? In some jurisdictions, this disclosure is mandated by law (which is why these laws are good). Is it worth mentioning that they chose to do what the law said they must?
in reply to Paco Hope

Kerfuffle
mastodon - Link to source
Kerfuffle
That the security breach should have been prevented is true of course, but fact of the matter is that they occur nonetheless. Is it worth punishing companies for being transparent about incidents and following the law? Given the way big tech rarely does this right, I applaud Discord and 5CA for responding correctly.
Unknown parent

Kerfuffle
mastodon - Link to source
Kerfuffle
Either you've been reading different responses than I have, or you're making a lot of assumptions there.
Unknown parent

Kerfuffle
mastodon - Link to source
Kerfuffle
Wow, that does put things in a different light. So do you doubt 5CA's explanation or do you think Discord was actually targeted more extensively, or via more vectors?