It is a common misconception that facts are reported because they are surprising. Facts are reported because they are important. More and more governments are passing age verification laws which put exactly this data in to the hands of even more shady private companies. This breach serves as evidence that those laws are misguided, and spreading news of this event may help build public support for those efforts.

It's not surprising because there's never been a significant penalty for it, I guess because everybody just got completely used to massive breaches without much reaction. But then again it's very hard to get legislation passed that's not in the interests of big business.

ZK proofs for identity can't go mainstream quick enough. I agree with what you're saying completely. It's frustrating that we have the technology now to verify aspects of someone's identity without revealing it, but that it's going to take forever to become robust enough for mainstream use.

For years, I resisted TSA Pre check on principle, even though I was a frequent traveler. I finally relented when I realized there were places like Thailand that force you to give your biometrics, and almost certainly sell them back to shadowy US agencies.

Developer time is more valuable than user data. The market is being efficient.

> I basically treat it as 'any member of public can now access it'.

Still remember the conversation over "mega apps"?

Based on my experience with Alipay, which was a Chinese financial focused mega app but now more like a platform of everything plus money, the idea of treating every bit information you uploaded online as public info is laughable.

Back when Alipay was really just a financial app, it make sense for it to collect private information, facial data, government issued ID etc. But now as a mega app, the "smaller app" running inside it can also request permission to read these private information if they wanted to, and since most users are idiots don't know how to read, they will just click whatever you want them to click (it really work like this, magic!).

Alipay of course pretends to have protection in place, but we all know why it's there: just to make it legally look like it's the user's fault if something went wrong -- it's not even very delicate or complex. Kinda like what the idea "(you should) treat it (things uploaded online) as 'any member of public can now access'" tries to do, blame the user, punch down, easy done.

But fundamentally, the information was provided and used in different context, user provided the information without knowing exactly how the information will be used in the future. It's a Bait-and-switch, just that simple.

Of course, Discord isn't Alipay, but that's just because they're not a mega app, yet. A much healthier mentality is ask those companies to NOT to collect these data, or refuse to use their products. For example, I've not ever uploaded my government ID photos to Discord, if some feature requires it, I just don't use that feature.

Honestly I don't understand why so many things are tied to one secret _that you have to share with others_ all the time.

Why is there no rotation possible? Why is there no API to issue a new secret and mark the previous one as leaked? Why is there no way to have a temporary validation code for travels, which gets auto revoked once the citizens are back in their home country?

It's like governments don't understand what identity actually means, and always confuse it with publicity of secrets.

I mean, more modern digital passports now have a public and private key. But they put the private key on the card, which essentially is an absolute anti pattern and makes the key infrastructure just as pointless.

If you as a government agency have a system in place that does not accommodate for the use case that passports are stolen all the time, you must be utterly out of touch with reality.

I blame companies (including discord) for collecting as much information as they can instead of as little as possible. More data collected -> more data that will eventually get sold / leaked / hacked.

Also this is an issue with people willing to send important documents to some company with which they do not even have a written agreement.

> this is a systemic issue of governments not having/not enforcing serious security measures.

To do so seems impractical. Imagine the government machinery that would be required to audit all companies and organizations and services to which someone can upload PII.

Not tractable.

I told the 2 servers I hang in about a month ago that if I randomly disappear it’s because I can’t login without an ID and I’m simply not doing it/that they should consider the post my preemptive “goodbye.” I included where to contact me for those who want to. Frankly I think anyone on discord should do the same

It’s surprising that it happened to a big name like Discord in this day and age. Huge data breaches of large tech companies are becoming increasingly rare as security in general is getting better.