Discord-ed | Can Zoom use your data to train its AI?
CyberInsights #106 - 760k Discord Account Data Breach | Zoom updates its terms of service
760k user’s data breached via discord.io
Breached data could include billing address and salted and hashed passwords as well
Some users of Discord, around 760,000 of them, have their data breached. This data was available on the new breached dark web site. Read more about it here.
Discord.io is an independent service provider and not related to Discord (discord.com). This site provided a service where you could list your channel and also search for channels of your interest. As of 14 Aug 2023, it has suspended its operations in acknowledgement of the breach.
It says the following information of users has been breached:
Your internal user ID
Information about your avatar
Your status (moderator/admin/has ads/banned/public/etc)
Your coin balance, and current streak in our free minigame.
Your API key (this does not give access to your account, and was only available to less than a dozen users).
Your registration date.
Your last payment date and the expiration date of your premium membership.
Potentially sensitive information compromised:
Your username
Your Discord ID
Your email address
Your billing address
Your salted and hashed password
While discord.io investigates the breach, it has completely stopped operations. It’s previous site on the way back machine is here:
While we wait for more information from discord.io, it’s a wake up call for all infosec folks. What is the business impact of a data breach?
Take Action:
If your organisation uses discord, check if user details are compromised. Ask all users to change their passwords immediately.
If your organisation does not use discord, but has a reasonable young population, then send out a mailer about the discord data breach and ask users to change their personal data passwords. (hint: regular gamers use discord frequently. if you have a gaming population, you will have discord users)
Take this as an opportunity to assess the business impact of a data breach (data exfiltration) on your organisation. Sometimes, the answer stares at you and is not pleasant.
If you are a cyber insurer, then this is an opportunity to see if a data breach can lead to a ‘Business Interruption’ claim. After all, it’s not a direct impact, but discord.io did have to shut down its business.
Zoom updates its terms of service
It should worry you.
I read this first on Bruce Schneier’s blog. Long time readers of CyberInsights will know that I refer to Bruce’s blog often. He tends to catch things that most of us miss
On the 11th of August, 2023, Zoom updated its terms of service. The reason for the update as per the Terms of Service Update Notes:
Updates to Section 10 to clarify Zoom’s data usage practices, narrow the scope of Zoom’s licenses and clarify that Zoom does not use audio, video or chat Customer Content to train its artificial intelligence models.
So, we should read the relevant section - Section 10 for what they mean when they say they will not use our data to train AI models. This is what the relevant section says:
10.2 Permitted Uses and Customer License Grant. Zoom will only access, process or use Customer Content for the following reasons (the “Permitted Uses”): (i) consistent with this Agreement and as required to perform our obligations and provide the Services; (ii) in accordance with our Privacy Statement; (iii) as authorized or instructed by you; (iv) as required by Law; or (v) for legal, safety or security purposes, including enforcing our Acceptable Use Guidelines. You grant Zoom a perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license and all other rights required or necessary for the Permitted Uses.
Zoom does not use any of your audio, video, chat, screen sharing, attachments or other communications-like Customer Content (such as poll results, whiteboard and reactions) to train Zoom or third-party artificial intelligence models.
Interesting, right? Why would Zoom update its terms of service just to tell us that it won't use our data for training AI models? If you go through the Privacy Statement, you will get the exact same line.
The interpretation should be like this:
Zoom will not use the following data to train AI models, but it can use all other data and metadata:
audio
video
chat
screen sharing
attachments
customer content
Now, it makes sense. So far, Zoom has pinky-sweared not to use our data.
Take Action:
No direct actionable for anyone here. Just remember this line from what Bruce writes:
Of course, these are Terms of Service. They can change at any time. Zoom can renege on its promise at any time. There are no rules, only the whims of the company as it tries to maximize its profits.
It’s a stupid way to run a technological revolution. We should not have to rely on the benevolence of for-profit corporations to protect our rights. It’s not their job, and it shouldn’t be.