BeyondChat

As far as I can make out, this only affects people who have used Discord's support ticketing system: if you have, then usual security measures after a breach - change password, don't believe ANY emails from Discord without verifying directly, not through links provided in the email, etc.

https://cybersecuritynews.com/discord-data-breach -

"A data breach at a third-party customer service provider has exposed the personal data of some Discord users, including names, email addresses, and a small number of scanned government-issued photo IDs.

The incident did not compromise Discord’s main systems, and the unauthorized access was limited to data handled by the company’s support teams."

It doesn't matter HOW good your personal infosec is, someone will f**k you over smh. All we can do is be a bit more difficult so the bad actors can't be bothered and go after the easier (= more stupid, in this day and age) targets.

Change discord pfp to the Clipy , It's safe now

and a small number of scanned government-issued photo IDs.

Didn't take long, therein lies the flaw of the OSA, completely flawed and no surprises at all.
Why they would even need to keep this data on record is beyond me, if it was truly just about age verification then they could just remove not immediately after. Obviously it's not.

BestEjac wrote: ↑09 Oct 2025

and a small number of scanned government-issued photo IDs.

Didn't take long, therein lies the flaw of the OSA, completely flawed and no surprises at all.
Why they would even need to keep this data on record is beyond me, if it was truly just about age verification then they could just remove not immediately after. Obviously it's not.

Woah woah woah woah.... Applying common sense is a clear violation of the Online Safety Act already, please stop immediately.

The easiest data in the world to protect, is no data at all. If they had the presence of mind, specifying a maximum retention period for ID checks, such as 7 days for QA purposes, would have helped, even in a deeply flawed law. But like they give a damn.

I've been out of the infosec game a few years now because I just got sick of human stupidity, which is the ultimate root cause of 99.9% of every single data breach I ever dealt with or heard about. The other 0.1% is that criminals are always one step ahead, and they are rare af.


I would put good money on the root cause of this not being a "technical breach". It'll be a human failure in the third party to adequately protect their systems or a failure in Discord's due diligence/auditing or both. Probably both, because companies who outsource are often cheapskates, that's the whole point of outsourcing. Also basic process - retention of personal data beyond purpose it is actually required for.