10 minute read

Mandatory age checks after a 70,000‑ID breach is a trust test Discord hasn’t earned

By PrivasecTech Research Team

Discord is rolling out mandatory age verification globally, requiring users to submit facial scans or government-issued IDs to access age-restricted content and certain platform features. The timing couldn’t be worse — this expansion comes just four months after a devastating data breach exposed approximately 70,000 government ID images. And the company’s track record raises serious questions about whether we should trust them with our most sensitive personal data.

The Breach That Should Change Everything

In October 2025, Discord disclosed that hackers had compromised one of its third-party customer service providers, 5CA, exposing sensitive data from users who had contacted Customer Support or Trust & Safety teams. The stolen data included:

• Approximately 70,000 government-issued ID photos (passports, driver’s licenses)

• Discord usernames, real names, and email addresses

• IP addresses tied to support interactions

• Messages exchanged with customer support agents

• Limited billing metadata, including payment methods and partial credit card numbers

The hackers, operating under the name “Scattered Lapsus$ Hunters,” claimed to have stolen 1.6 terabytes of data and reportedly attempted to extort Discord for millions of dollars. Perhaps most alarmingly, they began leaking samples of the stolen data on Telegram, including selfies of users holding their government IDs.

The Vendor Finger-Pointing Game

Discord was quick to blame 5CA, stating that their own systems were not breached. But 5CA fired back with a public denial, claiming their systems “were not involved” and remained secure. The vendor even suggested the incident “may have resulted from human error” — raising questions about whose systems were actually compromised and who is ultimately responsible for protecting user data.

Here’s the critical issue: Discord’s stated policy was that ID images should be “deleted directly after your age group is confirmed.” Yet 70,000 IDs were somehow still accessible when hackers breached the vendor. This represents either a catastrophic failure in vendor management or a violation of Discord’s own data retention policies — possibly both.

A Troubling Pattern: The OpenFeint Legacy

This isn’t Discord CEO Jason Citron’s first rodeo with user data controversies. Before founding Discord in 2015, Citron created OpenFeint, a social gaming platform for mobile devices that became embroiled in a major privacy scandal.

In 2011, OpenFeint was hit with a federal class action lawsuit alleging the company:

• Collected unique device identifiers without proper consent

• Harvested exact GPS locations from users’ devices

• Accessed Internet browsing histories

• Scraped social media profile information from Facebook and Twitter

• Disclosed this personal information to third parties including developers, advertising networks, and analytics vendors

• Failed to provide adequate notice or privacy policies in most games using the platform

The lawsuit alleged that OpenFeint’s business model fundamentally relied on unauthorized data collection and monetization. The case was eventually settled out of court, and OpenFeint updated its privacy policy — but only after being caught.

In April 2011, just after the lawsuit was filed, Japanese company GREE acquired OpenFeint for $104 million. The platform was shut down in December 2012. While past performance doesn’t guarantee future behavior, the pattern is concerning: a platform collecting sensitive user data, inadequate transparency, and eventual controversy.

The New Age Verification Rollout

Starting in March 2026, Discord will implement “teen-by-default” settings globally. Users not verified as adults will face significant restrictions:

• No access to age-restricted servers and channels

• Inability to speak in Discord’s “stage” channels (livestream-like features)

• Automatic content filters for graphic or sensitive material

• Warning prompts for friend requests from unfamiliar users

• DMs from unfamiliar users filtered into a separate inbox

To regain full access, users must verify their age through one of two methods:

1. Facial Age Estimation (“Video Selfie”): Users record a video selfie that’s processed by AI to estimate their age. Discord claims this processing happens on-device and the video “never leaves your device.”

2. Government ID Verification: Users submit photos of government-issued identification documents to Discord’s third-party vendor partners. Discord says these are “deleted quickly — in most cases, immediately after age confirmation.”

Those words — “in most cases” — should make every user pause. As the October breach demonstrated, exceptions to data deletion policies can have devastating consequences.

The Privacy Promises (And Why They Ring Hollow)

Discord assures users of several privacy protections:

On-device processing: Video selfies for facial age estimation never leave your device

Quick deletion: Identity documents are deleted quickly after age confirmation

Private status: Other users cannot see your verification status

No advertising use: Age data won’t be used for targeted advertising

But here’s the problem: these are the exact same types of promises Discord made before the October breach. They promised IDs would be deleted immediately. They promised secure vendor partnerships. They promised data protection.

And yet, 70,000 government IDs were still sitting in a vendor’s system when hackers came calling.

The Third-Party Vendor Problem

Discord’s reliance on third-party vendors for age verification introduces a critical vulnerability. The company partners with providers like k-ID and (previously) 5CA to handle sensitive verification processes. This creates multiple points of failure:

Vendor security practices: Discord has limited control over how vendors secure data

Data retention policies: Vendors may retain data longer than promised

Human error: Vendor employees can be targets for social engineering

Supply chain attacks: Hackers can target the weakest link in the vendor chain

Unclear accountability: When breaches occur, finger-pointing between Discord and vendors leaves users in limbo

The October breach perfectly illustrates this problem. Discord says 5CA was compromised. 5CA says they weren’t hacked and don’t handle IDs. Users are left wondering: whose fault was it, and who’s protecting our data?

User Backlash and Real Concerns

The Discord community has responded with widespread criticism and concern. On Reddit, users have expressed fears about:

Data breach risks: “I will not be uploading my face or ID to a database that I know is not secure enough to handle this.”

Platform abandonment: “What a great way to kill your community” and “Cancelled my Nitro Classic as well.”

Privacy violations: Concerns about creating surveillance databases of minors and adults

Vulnerable populations: LGBTQ+ teens and others who may face risks if their identity is exposed

Discord’s head of product policy, Savannah Badalich, acknowledged the company expects “some sort of hit” to user numbers but said “We’ll find other ways to bring users back.” This cavalier attitude toward privacy concerns is troubling, especially given the company’s recent breach.

There Is a Better Way: Privacy-Preserving Age Verification

The rush to implement age verification across the internet has created a dangerous trend: platforms collecting vast amounts of personally identifiable information (PII) in the name of child safety. But this approach creates honeypots of sensitive data that inevitably become targets for hackers.

Privacy-preserving alternatives exist. Solutions like ConsentKeys (consentkeys.com) demonstrate how age verification can work without compromising user privacy:

One-time verification: Users verify their age once with a trusted third party

Pseudonymous credentials: The system issues anonymous tokens or credentials proving age without revealing identity

Zero-knowledge proof: Age-gated services see only the credential — never the user’s name, photo, ID, or other PII

No central database: No massive honeypot of government IDs and facial scans for hackers to target

Privacy by design: Built on principles that align with GDPR and other privacy frameworks

This approach protects children without creating surveillance infrastructure. It verifies age without revealing identity. It satisfies regulatory requirements without violating privacy rights.

The Broader Context: A Global Trend Toward Digital ID Collection

Discord’s rollout is part of a broader trend driven by regulatory pressure around the world. The UK’s Online Safety Act, Australia’s proposed age verification laws, and similar legislation in other jurisdictions are pushing platforms to implement age checks.

Roblox recently announced mandatory facial verification for chat features. YouTube has launched age-estimation technology. OpenAI is bringing age prediction to ChatGPT. The pattern is clear: we’re heading toward a future where accessing basic internet services requires handing over biometric data or government IDs.

But this trend doesn’t have to mean the end of online privacy. We can protect children without building surveillance systems. We can verify age without collecting biometric databases. We can satisfy regulators without violating human rights.

It just requires platforms to prioritize privacy over convenience, and regulators to understand the difference between age verification and identity surveillance.

Questions Discord Must Answer

Before users should trust Discord with their facial scans and government IDs, the company needs to provide clear answers to critical questions:

1. Vendor Management: What specific improvements have been made to vendor security auditing and oversight since the October breach? How will Discord ensure vendors actually delete data as promised?

2. Data Retention: Why were 70,000 IDs still accessible during the October breach if they were supposed to be “immediately deleted”? What systemic failures allowed this, and how have they been fixed?

3. Third-Party Accountability: Who is ultimately liable when vendor breaches occur? Will Discord compensate users whose IDs are exposed?

4. Alternative Solutions: Why hasn’t Discord explored privacy-preserving age verification methods that don’t require collecting and storing biometric data or government IDs?

5. Transparency: Will Discord commit to publicly reporting all age verification data breaches within 24 hours and providing detailed forensic analysis?

6. User Control: Can users who verified their age before the breach re-verify using different methods? Can they request deletion of any biometric or ID data currently held by vendors?

Recommendations for Users

Given Discord’s track record and the recent breach, users should consider the following:

Think carefully before verifying: Do you actually need access to age-restricted content? Can you use Discord without full verification?

Prefer facial estimation over ID: If you must verify, the on-device facial scan is preferable to uploading government IDs, though neither is ideal

Monitor your accounts: If you previously verified with an ID, watch for signs of identity theft or fraud

Consider alternatives: Evaluate whether other communication platforms offer similar functionality without invasive verification

Voice concerns: Contact Discord support, use the feedback button, and make it clear that privacy matters to users

Advocate for better solutions: Support privacy-preserving age verification methods and contact lawmakers about the dangers of mandating biometric collection

The Bottom Line

Discord’s rollout of mandatory age verification comes at the worst possible time — just months after a major breach exposed tens of thousands of government IDs. The company’s history, from the OpenFeint data collection lawsuit to the October 2025 vendor breach, suggests a pattern of inadequate attention to user privacy.

While protecting children online is crucial, we must ask: at what cost? Creating massive databases of biometric data and government IDs makes platforms irresistible targets for hackers, state actors, and other malicious parties. Once this data is stolen, it can’t be changed like a password — your face and government ID are permanent.

Privacy-preserving alternatives exist. They can verify age without compromising identity. They can protect children without building surveillance infrastructure. They can satisfy regulatory requirements without creating data breach disasters.

Discord should explore these alternatives before forcing hundreds of millions of users to hand over their most sensitive personal data. And users should think very carefully before trusting a company with a troubling privacy track record with their biometric information.

The question isn’t whether we should protect children online — we absolutely should. The question is whether we should sacrifice everyone’s privacy to do it, especially when better solutions exist.

References and Additional Resources:

You may also enjoy

Password Managers For 2024

1 minute read

The top two questions we’ve received for the last 15 years are which browser should I use for privacy?, but more common is “Which password manager should I u...

Web Browsing With Privacy

1 minute read

I’ve been updating this blog for well over a decade on privacy centric browser options, so I thought I’d start with my recommendations as we dive into 2024. ...

Sharing Links

less than 1 minute read

When sharing links, there are a handful of issues that may occur. The original news site or blog may have taken the article the down, or they may in the futu...

You May Have 5 Minutes To Patch Your Systems

4 minute read

We’ve all been working on something on our device when we get a pop-up that a new patch or update is available, and we probably dismiss it as we want to stay...