Discord Global Age Verification Rollout After Third-Party ID Image Breach
Discord announced a phased global rollout requiring users to verify their age using video selfies or government IDs, citing growing regulatory pressure for age checks on social platforms and a goal of providing a “teen-appropriate experience by default.” Discord said the verification data will be deleted immediately after age is confirmed and claimed it will not leave the user’s device; the company also described new defaults that restrict access to age-gated features (e.g., blurring sensitive content and limiting age-restricted channels/commands to verified adults). The rollout is expected to begin in early March, following earlier “teen-by-default” measures introduced in the U.K. and Australia.
The policy change triggered backlash in gaming communities due to privacy and breach concerns, amplified by a prior incident in which roughly 70,000 images of government IDs were exposed after users had uploaded them for customer service purposes; reporting attributes the exposure to a third-party service Discord used to manage data. Discord is attempting to reassure users by pointing to tightened controls and a partnership with k-ID for age checks, but critics highlighted perceived ambiguity in how ID scans may be handled (including potential uploads to vendor servers and involvement of additional third parties), and warned that expanding collection of sensitive identity data increases the platform’s attractiveness as a target.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
EFF publicly opposes Discord's mandatory age verification rollout
On February 12, 2026, the Electronic Frontier Foundation published a critique warning that Discord's age verification and age inference systems create privacy, surveillance, bias, and free-expression risks. EFF argued the prior breach showed identity data is inherently high-risk and urged platforms and lawmakers not to adopt broad age-verification mandates.
Public backlash intensifies over Discord's new age-check system
Following the announcement, users, privacy advocates, and gaming communities sharply criticized the plan, arguing that requiring facial scans or IDs expands Discord's attack surface and is especially troubling after the 2025 breach. Some users began discussing migration to alternative platforms that do not require identity verification.
Discord details age-gated restrictions and age inference approach
By February 10, 2026, reporting revealed additional implementation details: unverified users would face blurred sensitive content, restricted access to age-gated spaces, reduced DM capabilities, and limits in some features, while Discord would also use an age inference model to avoid prompting most users. Discord said it had switched to new vendors and described safeguards such as on-device selfie processing and rapid deletion of uploaded IDs.
Discord announces global age verification and teen-default account changes
On February 9, 2026, Discord announced it would require age verification globally using video selfies or government IDs, while placing accounts into a 'teen-appropriate' experience unless adulthood is verified. The company said the rollout would begin in phases in early March and cited growing legal and regulatory pressure around protecting minors online.
Third-party breach exposes about 70,000 Discord user IDs and selfies
In October 2025, a breach involving a third-party service used by Discord exposed sensitive identity data previously uploaded by roughly 70,000 users, including government IDs and selfies. The incident became a central point of criticism in later debates over Discord's identity-based age checks.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Discord Voluntarily Pushes Mandatory Age Verification Despite Recent Data Breach | Electronic Frontier Foundation
eff.org
Open sourceMy 5 favorite Discord alternatives - no ID verification required | ZDNET
zdnet.com
Open sourceUpcoming AI-based age verification in Discord slammed | SC Media
scworld.com
Open sourceDiscord's new age ID verification: How it works, internet reactions, and alternatives | ZDNET
zdnet.com
Open sourceDiscord faces backlash over age checks after data breach exposed 70,000 IDs - Ars Technica
arstechnica.com
Open sourceDiscord to require video selfies or government IDs to verify all users’ ages | The Record from Recorded Future News
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Platforms Expand Identity and Age-Verification Features for Privacy and Adult-Content Access
Google upgraded its *Results About You* safety feature to detect and request removal of additional sensitive identifiers exposed in Search results, including government ID numbers such as **passport numbers, driver’s license numbers, and Social Security numbers**. The update also streamlines Google’s process for reporting and removing **non-consensual explicit imagery (NCEI)**, including deepfakes and other AI-generated sexualized content, reflecting increased platform focus on limiting the discoverability of highly sensitive personal data and abusive imagery. Discord announced it will begin requiring **age verification** for access to adult content globally, using either an **ID upload** or an **AI-based video selfie** to estimate age. Discord stated that verification data will not be retained by Discord or its verification provider, claiming face scans will not be collected and ID images will be deleted after verification, highlighting ongoing industry movement toward stronger identity/age-gating controls alongside privacy assurances about data handling.
Mar 21, 2026
Discord Data Breach Involving Compromised Government ID Photos and Third-Party Denial
Discord experienced a significant data breach that resulted in the exposure of approximately 70,000 users' government-issued identification photos, including driver's licenses and passports submitted for age verification. The breach was initially disclosed by Discord, which stated that a 'small number' of government IDs had been compromised, later clarifying that the number was around 70,000. Discord attributed the breach to a third-party customer service support firm, 5CA, which it contracts for customer support operations. However, 5CA publicly refuted these claims, asserting that none of its systems were involved in the breach and that it had not handled government-issued IDs for Discord. 5CA emphasized that its platforms and systems remained secure, with all client data protected under strict security controls, and that there was no evidence of impact on other clients or systems. The company also stated that access controls, encryption, and monitoring systems were fully operational and had been placed under heightened review as a precaution. 5CA attributed the incident to 'human error' but did not provide further details on the nature of this error. Media reports and statements from 5CA suggest that the breach occurred outside of its infrastructure. Hackers claiming responsibility for the breach told BleepingComputer that they accessed Discord's Zendesk account for 58 hours on September 20, allegedly using compromised credentials belonging to a support agent from a third-party company. This suggests that the attack vector may have involved credential compromise rather than a direct hack of 5CA's systems. Discord has not yet confirmed which company was responsible for holding the compromised government ID photos. The incident has raised concerns about the security of third-party vendors and the handling of sensitive user data. Both Discord and 5CA have faced scrutiny over their security practices and communication regarding the breach. The lack of clarity about the exact cause and responsible party has left users and the cybersecurity community seeking more information. The breach underscores the risks associated with outsourcing customer support functions and the importance of robust access controls and monitoring. Discord's response included updating its public statements and working to clarify the scope and impact of the breach. 5CA's denial and emphasis on its security posture highlight the challenges in attributing responsibility in incidents involving multiple vendors. The incident remains under investigation, with both companies maintaining that their systems were not directly compromised. The exposure of sensitive government ID photos has significant privacy implications for affected users. Ongoing reviews and heightened security measures have been implemented by 5CA as a precaution. The breach serves as a reminder of the persistent threat posed by compromised credentials and the need for continuous vigilance in third-party risk management.
Mar 21, 2026
Persona Age-Verification Frontend Exposure Raises Privacy and Surveillance Concerns for Discord Users
Security researchers investigating Discord’s UK age-verification rollout reported finding a **publicly exposed Persona frontend** (the identity-verification vendor used by Discord) on a **US government–authorized endpoint**, with **2,456 accessible files**. The exposed materials (since removed) allegedly revealed Persona’s broader **KYC/AML and surveillance-oriented capabilities** beyond age estimation, including **269 verification checks**, facial recognition comparisons against **watchlists** and **politically exposed persons (PEP)** lists, “adverse media” screening across multiple categories (including terrorism/espionage), and the generation of risk/similarity scores. The reporting also described extensive data collection/retention claims, including IP addresses, browser/device fingerprints, government ID numbers, phone numbers, names, faces, and “selfie” analytics, with retention described as up to **three years**. The discovery intensified backlash over Discord’s requirement that some users verify age (including via face scanning) to restore full functionality, and it fueled online allegations that the tooling could enable creation of broader watchlists. Persona publicly disputed insinuations of improper government ties and stated it invests in compliance and controls to protect sensitive data; it also said investors do not have access to Persona data and denied operational involvement by specific investors cited in the controversy. Ars Technica reported that OpenAI did not immediately respond to a request for comment regarding claims about an internal database related to Persona identity checks, while Persona characterized circulating claims as misleading and said any potential government engagements would be limited to workforce account security and exclude DHS/ICE.
Mar 21, 2026