alt Hacker News> Discord may have leaked sensitive personal information about 70,000 users -- including (but not necessarily limited to) government IDs, names, usernames, email addresses, last 4 digits of SSN, and IP addresses.
Credit card numbers are not SSNs, and I can't fathom why Discord would have the latter (I certainly never gave them any government ID either). Not to mention, "last 4 digits" of a credit card number will commonly appear on, for example, store receipts that people commonly just leave behind. Usernames can hardly be called sensitive information, either. The point is all the other stuff being tied to the username.
Replies
It’s an escalation path. When you store and image of an ID unnecessarily, then associate it with those last four digits, you’ve created a way to link other data sources to individuals.
Most scenarios I’ve worked with, you toss the ID image once you validate it.
The fact that the data is digitized, indexed and can be easily correlated with other data points is what turns your seemingly innocuous 4 numbers into a way to better impersonate, phish, or otherwise harm you.
I think discord is one of the services that requires age verification in some countries.
Age verification is "scan your government ID or give us a detailed video of your face from various angles, open and close your mouth" etc. Not sure which is better to give out in a breach