Hi there,
Here are the three consumer-privacy stories from the past month we think are worth your time, with clear next steps.
Discord age-verification images leaked
What happened
A third-party support/verification vendor working with Discord was compromised. Images people uploaded for age checks, such as driver’s licenses, passports, and face selfies, were copied. The core issue isn’t just the breach; it’s the practice of collecting and storing high-risk documents in the first place, often via vendors users never see.
What was exposed
Scans/photos of government IDs and matching selfies, plus typical metadata (full name, birth date, document number, issuing country, sometimes address). Even if Discord deletes uploads promptly, a vendor may retain copies in tickets, logs, or backups.
Who’s affected
Anyone who submitted ID for Discord age verification in the relevant period—including people who interacted with support and didn’t realize a separate vendor was involved.
Why age-verification laws can harm consumers
They force mass collection of sensitive IDs. When the law pushes platforms to “prove” age, many default to document uploads. That creates huge databases of passports and driver’s licenses—prime targets for theft.
Vendors multiply the risk. Platforms typically outsource verification. Each extra party adds storage, backups, employee access, and potential misconfigurations. Users rarely know who these vendors are or how long they keep data.
“Delete after check” isn’t guaranteed. In practice, copies live on in support tickets, QA screenshots, caches, and backups. Once leaked, you can’t rotate a date of birth or ID number.
Function creep. Photos and IDs collected “just for age” can be reused later—for marketing, fraud scoring, or law-enforcement fishing—unless tightly banned and audited.
Anonymity suffers. Mandatory ID checks chill speech and participation, especially in sensitive communities (health, LGBTQ+, political dissent).
Better approaches (what we advocate)
Privacy-preserving age assurance (on-device estimation, cryptographic “proof of age” tokens from trusted IDs without revealing identity or storing documents).
Strict data-minimization and retention caps (no vendor retention beyond a brief verification window; independent audits).
Real alternatives for users who can’t or shouldn’t upload IDs (supervised accounts, feature gating without identity, prepaid age-verified tokens).
Clear vendor transparency (who handles your data, where it’s stored, how/when it’s deleted).
What you can do
Close your Discord account and Delete your data → https://yourdigitalrights.org/d/discord.com
Turn on 2FA for the email accounts tied to Discord; change your Discord password if reused anywhere else.
Watch for targeted phishing that references your real details (“re-verify your age”). Open Discord directly—don’t use links in messages.
Going forward, avoid ID uploads where possible; if unavoidable, ask for written retention limits and deletion confirmation.
Prosper breach exposed highly sensitive personal data
What happened
Prosper (peer-to-peer lending) disclosed a large breach discovered in late September/early October. Data was accessed from systems holding consumer and borrower information.
What was exposed
Contact details (name, email, phone, address), government-ID details (e.g., SSN/ID numbers, DOB), and in some cases income/employment information used for underwriting. Payment credentials are not the main concern here—the exposure is the dense identity profile.
Who’s affected
Current and past applicants/borrowers, as well as some individuals who were invited or pre-qualified. Even if you didn’t complete a loan, application data may still be in scope.
Why it matters
This is precisely the mix that enables new-account fraud (credit cards/loans opened in your name).
Expect targeted phishing that references your real employer/income or application status.
Because SSNs/ID numbers don’t change easily, the risk persists for years, not weeks.
What you can do
Delete your data → https://yourdigitalrights.org/d/prosper.com
Place a credit freeze (free in many jurisdictions). It prevents new credit from being opened without your explicit lift.
Set fraud alerts with major bureaus; check your credit report over the next 12–24 months for unfamiliar inquiries or accounts.
Treat “we need to verify your identity/application” calls/texts as hostile by default. Hang up and call the institution via the official number in their app or on their card.
Qantas customer data posted after a third-party compromise
What happened
A vendor servicing multiple brands was breached; data sets for Qantas customers were among those posted. This is a classic supply-chain incident: you trusted the airline; the weak link was a contractor.
What was exposed
Personal profile fields such as name, email, phone, date of birth, and frequent-flyer details (membership numbers, sometimes status or points context). Payment card data was not the focus, but profile data is more than enough for convincing scams.
Who’s affected
Qantas customers whose profiles were synced or processed by the impacted vendor during the relevant window—this can include inactive accounts if data wasn’t purged.
Why it matters
Phishing is easier when attackers know your airline and loyalty details (“your flight has changed”, “points expiring: confirm now”).
If they can take your email account, they can reset everything else; travel accounts are attractive because of stored identities and rewards.
What you can do
Delete your data → https://yourdigitalrights.org/d/qantas.com
Don’t follow flight/account links from email/SMS. Open the airline app or type qantas.com yourself.
Enable 2FA on your email and your airline account; review security questions and recovery addresses/phones.
Check your frequent-flyer history for unfamiliar redemptions or name/phone changes.
If you shared passport details with any airline, consider renewing sooner if you encounter misuse (varies by country).
Product news — YourDigitalRights.org
New regulation support (October)
Maryland (MD) — Maryland Online Data Privacy Act
Indiana (IN) — Indiana Consumer Data Protection Act
Kentucky (KY) — Kentucky Consumer Data Protection Act
Rhode Island (RI) — Rhode Island Data Transparency and Privacy Protection Act
New regulation support (May)
China (CN) — Personal Information Protection Law
South Africa (ZA) — Protection of Personal Information Act
Tennessee (TN) — Tennessee Information Protection Act
Minnesota (MN) — Minnesota Consumer Data Privacy Act
Australia (AU) — Australian Privacy Principles
Jordan (JO) — Personal Data Protection Law
Thailand (TH) — Personal Data Protection Act
Localization
YourDigitalRights.org now supports 30 languages so more people can use their rights in the language they’re most comfortable with.
Quick actions
Delete your data from Discord → https://yourdigitalrights.org/d/discord.com
Delete your data from Prosper → https://yourdigitalrights.org/d/prosper.com
Delete your data from Qantas → https://yourdigitalrights.org/d/qantas.com
Turn on 2FA (email first), use a password manager, and don’t reuse passwords.
Clean up old accounts you no longer use; fewer accounts = smaller attack surface.
Please consider donating to Coscious Digital. By donating, or becoming a supporting member you can help ensure our long-term financial stability and independence.