| ▲ | accrual 9 hours ago |
| Here's the October 2025 Discord data breach mentioned at the end of the article: https://www.bbc.com/news/articles/c8jmzd972leo > Discord, a messaging platform popular with gamers, says official ID photos of around 70,000 users have potentially been leaked after a cyber-attack. However, their senior director states in this Verge article: > The ID is immediately deleted. We do not keep any information around like your name, the city that you live in, if you used a birth certificate or something else, any of that information. Why they didn't do that the first time? |
|
| ▲ | pavel_lishin 8 hours ago | parent | next [-] |
| > The ID is immediately deleted. We do not keep any information around like your name, the city that you live in, if you used a birth certificate or something else, any of that information. This is also contradicted by what Discord actually says: > Quick deletion: Identity documents submitted to our vendor partners are deleted quickly— in most cases, immediately after age confirmation. What are the non-most cases? |
| |
| ▲ | rsynnott 7 hours ago | parent | next [-] | | Also, _Discord_ deleting them is really only half the battle; random vendors deleting them remains an issue. | | |
| ▲ | rockskon 5 hours ago | parent | next [-] | | Not to mention collecting them at all means those servers are a primo location for state actors to stage themselves to make copies of data before being deleted. To say nothing of insider threats of which likely exist across every major social media platform in service to foreign govs. | |
| ▲ | AlienRobot 2 hours ago | parent | prev [-] | | Weird that I have to get a list of all the cookie vendors that know I visit a website to show me an ad about something I already bought but the guys with my ID don't need to be listed. |
| |
| ▲ | throw20251220 5 hours ago | parent | prev [-] | | Since when the city one lives in is mentioned in the birth certificate? | | |
| ▲ | smcin 4 hours ago | parent [-] | | It was only one example they gave, and they accept multiple different types of ID; a driver's license or national ID card being other likely ones, and DLs do say where you live. | | |
| ▲ | kvdveer 4 hours ago | parent | next [-] | | None of those documents reliably state my city of residence. At best they document where I once lived, but not even that is guaranteed. | | |
| ▲ | malfist an hour ago | parent [-] | | You are legally required to update those within 10 days of moving. |
| |
| ▲ | throw20251220 3 hours ago | parent | prev [-] | | What kind of tyranny do you live in? None of the documents I have on me say where I live. | | |
| ▲ | swiftcoder 2 hours ago | parent | next [-] | | It's pretty standard in a lot of Europe, one is required to update ones license with each change of address (although many people don't). Along with such weird (to us) things as applying for an exit visa from your current town when you want to move to a new town... | | |
| ▲ | throw20251220 2 hours ago | parent [-] | | Which parts of Europe have a town of where the person lives on their driving license? And what do you mean by “us”? | | |
| ▲ | swiftcoder 2 hours ago | parent | next [-] | | My Spanish identity card has my full address. Not sure if the DNI does as well, or only the foreign resident version. > And what do you mean by “us”? US folks are pretty used to being able to up and drive across the country with a suitcase, without filing any paperwork (at least till the taxman comes knocking next April) | | |
| ▲ | Forgeties79 20 minutes ago | parent | next [-] | | Have to get your vehicle registered in your new state as well (if you own one) as well as your driver’s license. God help you if your vehicle is towed and your license/vehicle is not registered in the current state. Absolute mess. | |
| ▲ | throw20251220 2 hours ago | parent | prev [-] | | I ask you about drivers license, you tell me about the national ID. |
| |
| ▲ | gambiting 2 hours ago | parent | prev [-] | | UK driver's licence has my full home address on it. Come to think of it I think my Polish one used to as well. |
|
| |
| ▲ | mcapodici 2 hours ago | parent | prev [-] | | Australia and UK goes the full distance. Your full address: https://en.wikipedia.org/wiki/Driver%27s_licences_in_Austral... |
|
|
|
|
|
| ▲ | CGMthrowaway 3 hours ago | parent | prev | next [-] |
| > The ID is immediately deleted. We do not keep any information around like your name, the city that you live in, if you used a birth certificate or something else, any of that information. Everyone says this, including the TSA. But they never say they don't keep a hash, or an eigenvector of your biometric. Which is equally as important. |
| |
| ▲ | hinata08 3 hours ago | parent [-] | | They also never say it goes through datacenters in room 641A or though Utah before it's "deleted", because it's a US company and they can't refuse that. |
|
|
| ▲ | debo_ 5 hours ago | parent | prev | next [-] |
| I believe the original finding was that they were not deleting IDs that were involved in disputes. |
|
| ▲ | Aurornis 5 hours ago | parent | prev | next [-] |
| They explained it in their announcement at https://discord.com/press-releases/update-on-security-incide... TL;DR: The IDs were used in age-related appeals. If someone's account was banned for being too young they have to submit an ID as part of the appeal. Appeals take time to process and review. Discord has 200,000,000 users and age verification happens a lot due to the number of young users and different countries. |
| |
| ▲ | plorg 4 hours ago | parent | next [-] | | Why should we suspect the age verification and age-related appeals would involve different teams or processes? | | |
| ▲ | elpasi 3 hours ago | parent | next [-] | | Age verification is done by an iframe to k-id.com. Appeals are done in the actual Discord ticketing system. | |
| ▲ | Aurornis 2 hours ago | parent | prev [-] | | Appeals are like escalations. They bypass automations and move to manual review. |
| |
| ▲ | reactordev 3 hours ago | parent | prev [-] | | This is corporate cover speak for “we keep all data” |
|
|
| ▲ | wolvoleo 9 hours ago | parent | prev | next [-] |
| And do they really actually delete it this time? |
|
| ▲ | bilekas 3 hours ago | parent | prev | next [-] |
| Until we have some kind of "One Time ID Verification" service that would work, the ID will never be deleted. Or a hash of the info or some kind of identifiable info. |
|
| ▲ | varispeed 5 hours ago | parent | prev | next [-] |
| > The ID is immediately deleted. I call it bollocks. Likely they have to keep it for audit and other purposes. |
| |
| ▲ | smaudet 4 hours ago | parent | next [-] | | "delete" doesn't mean delete anymore, like you say, there are always audit logs, and there is "soft" deleting. Expect any claims that things are being deleted to be a bold faced lie. | |
| ▲ | subscribed 4 hours ago | parent | prev [-] | | They wouldn't _have to_, audit checks if you stick to law, your own policies and such, but I think they will. | | |
| ▲ | varispeed 4 hours ago | parent [-] | | So how do they prove they actually checked someone's age? | | |
| ▲ | Gigachad 2 hours ago | parent | next [-] | | They don’t need to prove that. The government or whatever would have to prove that they aren’t checking ages, by going to the site and seeing a lack of age verification. | |
| ▲ | lII1lIlI11ll 3 hours ago | parent | prev [-] | | How does shop clerk proves they checked someone's age before selling them alcohol? |
|
|
|
|
| ▲ | Hikikomori 8 hours ago | parent | prev | next [-] |
| >Why they didn't do that the first time? The company they hired to do the support tickets archived them, including attachments, rather than deleting them. |
| |
|
| ▲ | observationist 5 hours ago | parent | prev | next [-] |
| They're a nonsense company, and trusting them with any information is foolish.
They'll store everything and anything, because data is valuable, and won't delete anything unless legally compelled to and held accountable by third party independent verification. This is the default. The purpose of things is what they do. They're an adtech user data collection company, they're not a user information securing company. |
|
| ▲ | _ink_ 4 hours ago | parent | prev | next [-] |
| Compliance |
|
| ▲ | moffkalast 38 minutes ago | parent | prev | next [-] |
| Sigh, I guess it's time to move platforms again or get your identity stolen. The more a company makes a fuss about trusting users, the more likely they store all of their shit in plaintext with vibe coded server security. |
|
| ▲ | reactordev 3 hours ago | parent | prev | next [-] |
| Liars… |
|
| ▲ | IhateAI_3 5 hours ago | parent | prev [-] |
| [dead] |
