Selfies with government IDs, IP addresses, and more were compromised in a breach linked to age verification appeals—raising alarm over growing digital ID mandates.
Discord Confirms Breach of Age-Verification Data
Discord has disclosed a data breach affecting at least 70,000 users, revealing that hackers accessed sensitive personal information through a third-party vendor used for age-related appeals.
- These appeals are required when Discord suspects a user is underage or when local laws mandate age verification.
- Users are typically asked to submit a selfie holding their government ID and Discord username—precisely the data now potentially exposed.
- The breach also included user IP addresses, which can reveal users’ approximate physical locations.
Discord stated it has contacted affected users directly and is investigating the full scope of the breach.
Claims Suggest Breach May Be Larger Than Reported
While Discord has confirmed around 70,000 impacted users, hackers claim to have exfiltrated 1.5 terabytes of data, possibly including more images and records than disclosed.
- 404 Media first reported on the breach and the hackers’ claims.
- Discord disputes the scale of the attack, telling The Verge the figures are “incorrect and part of an attempt to extort a payment.”
Still, the discrepancy has raised questions about transparency and risk assessment, especially given the sensitive nature of the data involved.
A Cautionary Tale for Age Verification Mandates
The breach highlights a growing concern among digital rights advocates about the privacy risks of mandatory age verification systems.
- Discord’s situation mirrors issues tied to age verification laws being enacted in nearly half of U.S. states, many targeting adult websites.
- Some platforms, like Pornhub, have blocked entire states to avoid having to collect such data.
- In the U.K., the recently passed Online Safety Act now compels mainstream platforms like YouTube, Spotify, and Reddit to verify user ages, intensifying the debate around data safety.
Critics argue that these policies force companies to store or transmit highly sensitive data, creating honey pots for attackers—as the Discord breach shows.
Discord’s Use of Third Parties Raises Questions
This breach was not due to a flaw in Discord’s core infrastructure but rather through a third-party vendor tasked with verifying user ages.
- The vendor’s identity has not been publicly disclosed.
- The use of external contractors for identity checks is increasingly common—but often less transparent and potentially less secure.
- The breach reaffirms the risks of outsourcing critical Trust & Safety functions without adequate oversight.
Fallout and What Users Can Do
Discord says it has notified impacted users and is working to improve data security and vendor risk management. However, the exposure of government ID photos and IP addresses is especially alarming.
Users concerned about the breach should:
- Monitor for suspicious activity involving their personal data.
- Be cautious of phishing emails that reference Discord accounts or ID verification.
- Consider changing Discord passwords and updating privacy settings.
A Broader Reckoning on Age Checks and Online Privacy
The breach amplifies ongoing concerns about how well-intentioned safety laws can endanger user privacy if not paired with secure, transparent systems.
- As age verification becomes more widespread across the internet, platforms will need to rethink how and where they collect sensitive user data.
- Governments may also face pressure to revisit age check mandates in light of growing cybersecurity risks.
In the name of online safety, we may be building systems that are inherently unsafe, critics warn.
