My latest: Discord said late on Friday that hackers stole users' government-issued IDs (passports and driver's licenses) from one of its customer support databases.
I wrote a few words about the risks of age verification laws, and why collecting people's government IDs is bad for security and privacy.
For more on the Discord data breach, and all of the other cyber news you need to know from the week (plus news you might've missed), my cybersecurity newsletter has you covered.
Out Sundays. No email link/click tracking!
Sign up/RSS today! https://this.weekinsecurity.com/
@f4grx @fishidwardrobe @zackwhittaker @signalapp
Signal keeps the following data:
# Account
Phone number: (phone number)
Allow sealed sender from anyone: true
Find account by phone number: true
Badges: None
# Devices
- ID: 1
Created: 2025-08-31T21:29:44Z
Last seen: 2025-10-04T00:00:00Z
User-agent: OWA
I have never and will never give my ID to a website/app.
Hard no.
If your site requires it, I will simply go somewhere else. The Internet is vast.
@zackwhittaker This news will actually help shoot down new age verification laws.
I do not have a single account anywhere with age verification and I will keep it that way no matter what. I will always refuse to use any site that asks for ID, same as I refuse to complete any purchase in any store that asks for ID.
@zackwhittaker The Belgian ID system I have worked on back in the day works with a government SAML service on top of an in-house, not outsourced authentication system.
No data is passed on to the requestor without the correct authorisations, and in case of an age check, an age is given in the request, and only a yes/no is returned.
The UK government excels in making botch jobs of each and every IT project, if only because they outsource everything, and those companies have different interests.
@luksfarris @zackwhittaker Exactly.
The government is responsible for its citizens ID information, which should never, ever, be outsourced, and access should be on a need to know and need to have basis,
In Belgium you use it to interact with all government services, from paying your taxes to identifying yourself with the council when you renew your driving license, or when you register after having moved house.
In the UK, security is a username and password, absolutely rediculous.
@zackwhittaker Not only that, but the hackers also probably got access to the pictures that Discord require with the user holding the id
So they full on got their face, government id and everything.
@zackwhittaker Including usernames, so those users can now get harassed and doxxed.
Breaches on support platforms aren't uncommon, these companies need to secure their support stuff.
@zackwhittaker Completely Zendesk's fault too probably.
Airbnb, Uber, Squarespace, Spotify, Vimeo, OpenTable, Shopify, Slack, and Zoosk, The Internet Archive, Discord and many more have suffered breaches due to Zendesk
jah
Zack Whittaker
F4GRX Sébastien
Fuxle 
🔜EF30
Loxbert Asher
⁂ Fish Id Wardrobe
Farshid Hakimy / فرشید
Brokar
fcalva
AnneH
troy_friz_zell
Joseph Lorenzo Hall, PhD
chuckadeus kummerer
icanttellyou
woe2you
LukefromDC
WanWizard 🏴 🇳🇱
luksfarris
Knightmare
Luna chan
Vendetta
Scan
Matthew Walton
Sandro 
