This is not OK, and the reporting is not OK.

Opening with:

> Discord has identified approximately 70,000 users that may have had their government ID photos exposed as part of a customer service data breach announced last week, spokesperson Nu Wexler tells The Verge.

Then a big PR quote, letting a potential wrongdoer further spin it.

Then closing with:

> In its announcement last week, Discord said that information like names, usernames, emails, the last four digits of credit cards, and IP addresses also may have been impacted by the breach.

This is awful corporate PR language, not journalism, on a big story about probable corporate negligence resulting in harm to tens of thousands people.

Here's the bare minimum kind of lede I expect on this reporting:

Discord may have leaked sensitive personal information about 70,000 users -- including (but not necessarily limited to) government IDs, names, usernames, email addresses, last 4 digits of SSN, and IP addresses.

I'm ready to block both Discord and The Verge.

> Discord may have leaked sensitive personal information about 70,000 users -- including (but not necessarily limited to) government IDs, names, usernames, email addresses, last 4 digits of SSN, and IP addresses.

Credit card numbers are not SSNs, and I can't fathom why Discord would have the latter (I certainly never gave them any government ID either). Not to mention, "last 4 digits" of a credit card number will commonly appear on, for example, store receipts that people commonly just leave behind. Usernames can hardly be called sensitive information, either. The point is all the other stuff being tied to the username.

Age verification is "scan your government ID or give us a detailed video of your face from various angles, open and close your mouth" etc. Not sure which is better to give out in a breach

It's enough data that, combined with photos and videos from social media, could allow for more convincing deepfakes of your average person.

It's also enough data to improve surveillance and facial recognition systems, allowing them to identify you more easily.

I think it's less a case of which is better and more of which is less bad...

It’s an escalation path. When you store and image of an ID unnecessarily, then associate it with those last four digits, you’ve created a way to link other data sources to individuals.

Most scenarios I’ve worked with, you toss the ID image once you validate it.

The fact that the data is digitized, indexed and can be easily correlated with other data points is what turns your seemingly innocuous 4 numbers into a way to better impersonate, phish, or otherwise harm you.

I think discord is one of the services that requires age verification in some countries.

This is what most of journalism has been for quite some time. Read some of Noam Chomskys work.