> Discord has identified approximately 70,000 users that may have had their government ID photos exposed as part of a customer service data breach announced last week, spokesperson Nu Wexler tells The Verge.
Then a big PR quote, letting a potential wrongdoer further spin it.
Then closing with:
> In its announcement last week, Discord said that information like names, usernames, emails, the last four digits of credit cards, and IP addresses also may have been impacted by the breach.
This is awful corporate PR language, not journalism, on a big story about probable corporate negligence resulting in harm to tens of thousands people.
Here's the bare minimum kind of lede I expect on this reporting:
Discord may have leaked sensitive personal information about 70,000 users -- including (but not necessarily limited to) government IDs, names, usernames, email addresses, last 4 digits of SSN, and IP addresses.
> Discord may have leaked sensitive personal information about 70,000 users -- including (but not necessarily limited to) government IDs, names, usernames, email addresses, last 4 digits of SSN, and IP addresses.
Credit card numbers are not SSNs, and I can't fathom why Discord would have the latter (I certainly never gave them any government ID either). Not to mention, "last 4 digits" of a credit card number will commonly appear on, for example, store receipts that people commonly just leave behind. Usernames can hardly be called sensitive information, either. The point is all the other stuff being tied to the username.
Age verification is "scan your government ID or give us a detailed video of your face from various angles, open and close your mouth" etc. Not sure which is better to give out in a breach
It’s an escalation path. When you store and image of an ID unnecessarily, then associate it with those last four digits, you’ve created a way to link other data sources to individuals.
Most scenarios I’ve worked with, you toss the ID image once you validate it.
The fact that the data is digitized, indexed and can be easily correlated with other data points is what turns your seemingly innocuous 4 numbers into a way to better impersonate, phish, or otherwise harm you.
Opening with:
> Discord has identified approximately 70,000 users that may have had their government ID photos exposed as part of a customer service data breach announced last week, spokesperson Nu Wexler tells The Verge.
Then a big PR quote, letting a potential wrongdoer further spin it.
Then closing with:
> In its announcement last week, Discord said that information like names, usernames, emails, the last four digits of credit cards, and IP addresses also may have been impacted by the breach.
This is awful corporate PR language, not journalism, on a big story about probable corporate negligence resulting in harm to tens of thousands people.
Here's the bare minimum kind of lede I expect on this reporting:
Discord may have leaked sensitive personal information about 70,000 users -- including (but not necessarily limited to) government IDs, names, usernames, email addresses, last 4 digits of SSN, and IP addresses.
I'm ready to block both Discord and The Verge.