Thousands of Discord users may now have their national IDs and photo IDs in the wrong hands. It turns out the private information of users who submitted IDs in order to confirm their age had been hacked, the company told us late Wednesday. About 70,000 people were involved in the break-in, according to a public announcement by Discord. The hack was not from Discord itself but rather a third party vendor that was compromised, whose functions are related to customer support and trust and safety.

When Verification Goes Awry

The users attempting to indicate they were of legal age to use the platform sent in personal documents like drivers’ licenses or passports — some even took photos of themselves with the ID. That’s the information the hackers were able to steal which raises a substantial privacy issue. While Discord is attempting to contact affected users, they would not elaborate on the vendor involved. It also indicated that chat histories and information and material using the platform were not compromised.

But on Telegram, people said to be involved in the hack are already posting samples of what they say was taken from the hack, which resulted in a database, including names, addresses, telephone numbers (partially redacted) and emails. They also attached over 100 ID verification photos of users themselves with their IDs. NBC News has seen the materials but could not verify them on its own.

A Pattern of Risk in Age Gating Systems

The breach has revived discussion regarding how tech platforms address age verification and data privacy concerns. Experts have long said that such operations are vulnerable to abuse due to the nature of the sensitive data required. Maddie Daly of the Electronic Frontier Foundation pointed out the risk by labelling it as a screening system in hiding. She continued to say that “users can never be assured of how their private data will be used or revealed.”

The disclosure by Discord occurs but months after another privacy breach in the Tea app which advertised itself as a women’s only platform. The Tea app was breached in July and a total of 72,000 verification photos were revealed. In those instances, the users had sent in verification photos under the assumption that it was being done in the name of safety and discovered that this way of getting hacked had become a rule of vulnerability.

While Discord is cooperating with law enforcement and investigating the breach, the privacy advocates indicated that this was another cautionary tale as to how digital programs collect and protect the most personal data that is available to be shared. And for those people whose verified information was accessed, this is a trespass which will last far longer than a duration of any verification operation should.