Nearly all of the 70,000 people affected by a recent data breach involving a Discord age verification platform were based in Australia, raising new privacy concerns ahead of the nation’s looming social media age ban.
The Office of the Australian Information Commissioner (OAIC) confirmed to Information Age that 68,000 Australian Discord users had their personal information compromised in the incident — almost the entire number of affected users worldwide.
An OAIC spokesperson urged Australians impacted by the change passwords and contact the agency that issued their identity documents for further advice.
“In cases where Australians are affected by a data breach, the OAIC strongly encourages individuals to act quickly to take measures which can help to avoid harm,” the OAIC spokesperson said.
Age verification documents breached
A third-party customer service provider used by Discord to assist with customer service, mainly to deal with complaints relating to the platform’s age assurance processes, was breached by the hackers.
Data including government ID images, names, usernames, email addresses, and some limited billing information was obtained by the cyber attackers.
From September, Discord started using facial age assurance technology to verify the age of its users in Australia.
To do this, users were required to either take a video selfie or scan a driver’s licence, passport or other government ID, along with a photo selfie.
If this verification failed, users were able to contact Discord’s trust and safety team for a review, something which was handled by the third party which was breached.
Following the breach, hackers posted what they claimed was an example of the data they had obtained, including selfies of Discord users holding their government IDs.
The hackers claimed to have 2 million similar images, but this was rejected by Discord, with the company saying this was an “attempt to extort a payment” from them.
Just weeks before social media age ban
The age verification breach comes less than two months before Australia’s social media age ban is set to come into effect, and has increased concerns surrounding privacy and data security.
OAIC recently released guidance for tech companies subject to the age ban, outlining their “stringent legal obligations” to ensure it is implemented using “privacy-respecting approaches”.
These guidelines state that all personal information used to verify a user’s age must be destroyed after it has been used for its intended purpose.
When launching age verification in Australia, Discord said that any data used for this is “deleted directly after” it is used, but data was then sent as part of appeals against decisions made through this process.
The OAIC spokesperson said its guidelines “make it clear that protecting privacy is essential to implementation of the scheme”.
“Public resources are also available from the OAIC to assist the public, including parents, carers, children and young people in understanding the scheme, age assurance and how to best protect their personal information through measures like multi-factor authentication and ensuring that their information is shared online through secure URLs,” the spokesperson said.
Discord will not initially be subject to Australia’s social media age ban.
Communications Minister Anika Wells announced on Wednesday that the eSafety Commissioner had assessed nine social media platforms to be subject to the ban: Facebook, Instagram, SnapChat, TikTok, YouTube, X, Threads, Reddit and Kick.
From 10 December these platforms will be required to take “reasonable steps” to prevent under 16-year-olds from holding accounts, and will face fines of up to $49.5 million if they fail to do so.
“eSafety has assessed these platforms as requiring age-restriction but their assessments will be ongoing and this list is dynamic,” Wells said in a statement.
“We aren’t chasing perfection, we are chasing a meaningful difference. I have met with major social media platforms in the past month so they understand there is no excuse for failure in implementing this law.”
