Discord Breached - Hackers Demand $5,000,000 in Ransom
How 2.1 Million Discord Users' IDs Have Been Stolen
The image above? It’s the lie of the century.
“The information you provide is only used to confirm your age group, then it’s deleted”
If that’s so, why have 2.1 million photos of government IDs been stolen by hackers?
This is a question Discord has sidestepped since the breach occurred on September 20th.
In Discord’s Defence
They make the following points to defend themselves:
“First, as stated in our blog post, this was not a breach of Discord, but rather a third-party service we use to support our customer service efforts,” Discord told BleepingComputer in a statement. — Source
“This was not a breach of Discord” is simply false. It’s a polite way to shift the blame onto Zendesk — their partners who store the IDs of all the victims.
Discord made the decision to use Zendesk customer support to allow the exchange of government credentials over email, so they should take the blame here.
“Second, the numbers being shared are incorrect and part of an attempt to extort a payment from Discord. Of the accounts impacted globally, we have identified approximately 70,000 users that may have had government-ID photos exposed, which our vendor used to review age-related appeals.”
We can’t be certain that Discord is wrong here. But judging from their first statement, it does appear they’re trying to downplay the real damage done to save their reputation.
Discord in Reputational Debt
The hacker said the group demanded $5 million in ransom, later reducing it to $3.5 million, and engaged in private negotiations with Discord between September 25 and October 2. — Source
Discord publicly stated that it would not pay the ransom, and the hackers will most likely leak the information.
Either way, I think this was a good decision because the hackers will most likely leak the information sometime in the future, even after getting paid.
The Technical Solution: Zero-Knowledge Proofs
This debacle would have been avoided if you hadn’t sent sensitive information to customer support teams.
If any crypto enthusiasts made it this far, Zero-Knowledge Proofs are a possible way to achieve this.
Here’s an amazing beginner-friendly explanation of how it works:
ZKPs are still not widely deployed, most likely because spending money on cybersecurity is just not that enticing.
And what’s more enticing is the ability to store user identification for as long as possible by taking advantage of weak data protection laws.
Summary
- Discord has been breached— Data of potentially millions of users has been stolen by hackers.
- Discord’s reputation will suffer, and people will lose trust in age-verification systems
- A proposed technical solution is Zero-Knowledge Proofs, which allow you to prove a certain statement (I’m over 18!) without revealing sensitive data related to the statement (date of birth!)