Discord has been hit with an €800,000 fine by French regulator CNIL over an assortment of GDPR violations, including failure to mandate strong enough passwords and failure to provide default data protection during voice chats.
Though the fine is not one of the largest issued by CNIL (or for general GDPR violations across the bloc), the case is noteworthy in that Discord is mostly being taken to task for not providing default or built-in security options rather than the fallout of a specific data breach. The app stores relatively little personal information and individual users can make it virtually anonymous for themselves, but there are greater security concerns for businesses that make use of it for marketing or internal collaboration.
Discord GDPR violations include data retention issues, insecure passwords, impact assessments
While it is not as widely used as collaboration tools like Slack and Trello, some businesses use Discord for similar purposes; it is particularly popular in the video game development industry, where it is something that employees and customers already regularly use (and also has the bonus of being free). Some major brands, particularly in the fast food and clothing industries, have also started experimenting with marketing and setting up their own servers via Discord in the past two years.
Discord ended up being fined by CNIL for five separate GDPR violations. The first was its data retention practices. The company did not have a written data retention policy, and an investigation turned up over 2.4 million French accounts that had been inactive for at least three years and a further 58,000 that had been inactive for over five years. After being notified of the discrepancy, Discord has since instituted a written policy that specifies account data will be removed after two years of inactivity. This also covered the second of the GDPR violations, a failure to comply with the obligation to provide data retention information under Article 13 of France’s local regulations.
Failure to carry out a data protection impact assessment was the third of the GDPR violations, in violation of Article 35 (which covers requirements when large amounts of personal data are automatically processed). Though the company is not known for storing personal data, the investigation determined that it stored a sufficient quantity and was also subject due to its particular focus on audiences that tend to contain large amounts of minors. This is another area that the company has since addressed, conducting two impact assessments since the investigation began.
The final two GDPR violations are the interesting ones. The first is a “failure to ensure data protection by default” finding under Article 25.2. This relates to how the app closes out voice chats when being used in Microsoft Windows. Windows users are used to clicking the “X” in the upper right to completely terminate a program or a window, but doing this in Discord simply moves an active voice chat to the background; the investigation found users may not realize that their voice is still being recorded or broadcast in this state. Discord addressed this finding by adding a pop-up notification that reminds users that voice chats are still running and active when the “X” is clicked.
The final finding was a failure to ensure security of personal data under Article 32, for allowing users to set insufficiently secure passwords. The previous password requirement was six characters with a mix of letters and numbers. It is now eight characters with at least one capital letter and special character, and a CAPTCHA has been implemented after 10 unsuccessful login attempts.
Some pains as Discord experiences strong growth
Though they were not tied to the GDPR violations or fines in this case, Discord has had some recent struggles with cybersecurity as it has seen its monthly active user count shoot up since 2020.
One of the biggest stories came early this year, as the company (along with Apple and Facebook) was tricked by a group of hackers posing as law enforcement. Discord and the other companies provided basic contact information about certain users along with IP addresses and phone numbers; there is some speculation that North Korea’s state-backed Lapsus$ group was behind the attack.
The company generally has a good reputation for internal security, but has taken some substantial flak as of late for not doing enough to curb attacks against its users via the platform. Some have complained that the way the company handles 2FA logins makes it too easy for an attacker to compromise someone by sending them a malicious link, and that the account recovery process is lengthy and difficult once compromised. There have also been issues with abuse of malicious npm packages, and organized campaigns that accuse users of sending explicit photos and attempt to redirect them to a attack site that hijacks their account.