Persona Age-Verification Frontend Exposure Raises Privacy and Surveillance Concerns for Discord Users
Security researchers investigating Discord’s UK age-verification rollout reported finding a publicly exposed Persona frontend (the identity-verification vendor used by Discord) on a US government–authorized endpoint, with 2,456 accessible files. The exposed materials (since removed) allegedly revealed Persona’s broader KYC/AML and surveillance-oriented capabilities beyond age estimation, including 269 verification checks, facial recognition comparisons against watchlists and politically exposed persons (PEP) lists, “adverse media” screening across multiple categories (including terrorism/espionage), and the generation of risk/similarity scores. The reporting also described extensive data collection/retention claims, including IP addresses, browser/device fingerprints, government ID numbers, phone numbers, names, faces, and “selfie” analytics, with retention described as up to three years.
The discovery intensified backlash over Discord’s requirement that some users verify age (including via face scanning) to restore full functionality, and it fueled online allegations that the tooling could enable creation of broader watchlists. Persona publicly disputed insinuations of improper government ties and stated it invests in compliance and controls to protect sensitive data; it also said investors do not have access to Persona data and denied operational involvement by specific investors cited in the controversy. Ars Technica reported that OpenAI did not immediately respond to a request for comment regarding claims about an internal database related to Persona identity checks, while Persona characterized circulating claims as misleading and said any potential government engagements would be limited to workforce account security and exclude DHS/ICE.
Sources
Related Stories
Discord Global Age Verification Rollout After Third-Party ID Image Breach
**Discord** announced a phased global rollout requiring users to verify their age using **video selfies or government IDs**, citing growing regulatory pressure for age checks on social platforms and a goal of providing a “teen-appropriate experience by default.” Discord said the verification data will be **deleted immediately after age is confirmed** and claimed it **will not leave the user’s device**; the company also described new defaults that restrict access to age-gated features (e.g., blurring sensitive content and limiting age-restricted channels/commands to verified adults). The rollout is expected to begin in early March, following earlier “teen-by-default” measures introduced in the U.K. and Australia. The policy change triggered backlash in gaming communities due to privacy and breach concerns, amplified by a prior incident in which **roughly 70,000 images of government IDs** were exposed after users had uploaded them for customer service purposes; reporting attributes the exposure to a **third-party service** Discord used to manage data. Discord is attempting to reassure users by pointing to tightened controls and a partnership with *k-ID* for age checks, but critics highlighted perceived ambiguity in how ID scans may be handled (including potential uploads to vendor servers and involvement of additional third parties), and warned that expanding collection of sensitive identity data increases the platform’s attractiveness as a target.
1 months ago
Platforms Expand Identity and Age-Verification Features for Privacy and Adult-Content Access
Google upgraded its *Results About You* safety feature to detect and request removal of additional sensitive identifiers exposed in Search results, including government ID numbers such as **passport numbers, driver’s license numbers, and Social Security numbers**. The update also streamlines Google’s process for reporting and removing **non-consensual explicit imagery (NCEI)**, including deepfakes and other AI-generated sexualized content, reflecting increased platform focus on limiting the discoverability of highly sensitive personal data and abusive imagery. Discord announced it will begin requiring **age verification** for access to adult content globally, using either an **ID upload** or an **AI-based video selfie** to estimate age. Discord stated that verification data will not be retained by Discord or its verification provider, claiming face scans will not be collected and ID images will be deleted after verification, highlighting ongoing industry movement toward stronger identity/age-gating controls alongside privacy assurances about data handling.
1 months agoDiscord User Data Exposed via Third-Party Customer Support Breach
Attackers gained unauthorized access to a third-party customer service system used by Discord, resulting in the exposure of sensitive user data. The breach, which occurred on September 20, 2025, did not compromise Discord’s core infrastructure but targeted a helpdesk provider that managed customer support and Trust and Safety interactions. The attackers obtained personally identifiable information, including real names, Discord usernames, email addresses, and IP addresses of users who had contacted Discord’s support teams. In addition to contact details, the breach exposed partial payment information, such as the last four digits of credit cards and payment types, as well as purchase history for some users. Notably, a subset of affected users had submitted government-issued identification documents, such as driver’s licenses and passports, for account appeals or age verification, and these scanned IDs were also accessed by the attackers. The attackers demanded a ransom from Discord, threatening to leak the stolen information if their demands were not met, indicating a financially motivated campaign. Discord responded by immediately revoking the support provider’s access to its ticketing system, launching an internal investigation, and engaging a leading computer forensics firm to assist with remediation. Law enforcement agencies were also notified and involved in the investigation. The company publicly disclosed the incident and notified affected users, emphasizing that full credit card numbers and account passwords were not compromised. The breach highlights the risks associated with storing sensitive data, such as government IDs, in third-party systems, especially as regulatory requirements push platforms to collect more personal information for age verification. Security experts note that customer support platforms often become attractive targets for cybercriminals due to the concentration of sensitive user data. The incident underscores the importance of minimizing data retention and ensuring that sensitive information is not stored longer than necessary in support systems. Discord’s experience mirrors previous breaches at other major platforms where helpdesk systems were exploited to access user data. The company’s swift response aimed to contain the breach and prevent further unauthorized access. The exposure of government-issued IDs is particularly concerning, as it increases the risk of identity theft for affected users. The breach serves as a cautionary tale for organizations relying on third-party vendors to handle sensitive customer interactions. Ongoing investigations are expected to provide further insights into the attackers’ methods and the full scope of the compromised data. Discord has committed to reviewing and strengthening its data handling and vendor management practices in the wake of the incident.
5 months ago