Discord Wants Your Government ID—Months After Losing 70,000 Users' ID Photos in a Breach

The Breach That Set the Stage

In October 2025, attackers compromised Discord's customer support infrastructure through a third party vendor called 5CA, which used Zendesk software to handle support tickets, including manual age verification appeals. The breach exposed approximately 70,000 government issued ID photos, selfies, and sensitive identity documents that users had submitted to prove their age.

Threat actors claimed access to far more than Discord initially acknowledged: an estimated 8.4 million support tickets and over 520,000 age verification tickets. The breach earned Discord the Electronic Frontier Foundation's "2025 We Still Told You So Breachies Award," a distinction given to companies whose data collection practices predictably led to exactly the kind of breach privacy advocates warned about.

Discord has since discontinued the vulnerable support system. But the data that was exposed, government IDs and facial images, cannot be changed like a password. Those 70,000 users' identity documents are permanently compromised.

Now Discord Wants More IDs

On February 9, 2026, Discord announced "Teen by Default" settings rolling out globally in early March. The system treats all users as potentially underage until they prove otherwise, locking everyone into restricted experiences that include content filtering, limited direct messaging, and blocked access to age gated spaces.

To unlock full access, users must verify their age through one of three methods:

• Facial scanning: A device based scan that Discord says is processed locally and not retained
• Government ID upload: Processed through third party vendors k-ID (globally) and Persona (UK and Australia)
• Age inference: An algorithmic assessment using account tenure, device data, activity patterns, and platform behavior

Discord states that IDs are processed to extract age only and then deleted, and that identity is never associated with Discord accounts. But the same kind of assurance was implicitly made about the support system that was breached months earlier.

Why the EFF Calls It Reckless

The EFF's criticism centers on a fundamental contradiction: asking users to hand over more sensitive personal data to a company that just demonstrated it cannot protect the sensitive data it already has.

"History shows that data, especially this ultra valuable identity data, will leak, whether through hacks, misconfigurations, or retention mistakes," the EFF wrote. "No one should have to choose between accessing online communities and protecting their privacy."

The organization also highlighted technical failures in existing age verification technology. Facial age estimation tools have documented bias against people of color, trans and nonbinary individuals, and people with disabilities. No current technology is simultaneously privacy protective, universally accessible, and consistently accurate.

Critically, Discord implemented this system voluntarily. Unlike platforms operating in jurisdictions with legal mandates for age verification, Discord chose to collect government IDs and biometric data without being required to do so.

Who Gets Hurt

Age verification requirements disproportionately affect people who rely on online anonymity for safety:

• LGBTQ+ youth who use pseudonymous accounts to explore identity and find community support
• Abuse survivors who participate in support communities under aliases to protect themselves from their abusers
• Political dissidents in authoritarian countries who use Discord for organizing and protected speech
• People without government ID, including millions worldwide who lack formal identification documents
• Anyone whose appearance does not match their identity documents, including people who have transitioned, aged significantly, or undergone medical treatments

When identity checks become a condition of participation, many of these users will simply leave. The communities they relied on for support, connection, and safety will shrink or disappear.

The Third Party Problem

Discord is not processing age verification internally. It is routing identity documents through third party vendors: k-ID for most of the world and Persona for UK and Australian users. Each vendor adds another link in the chain where data can be mishandled, breached, or retained longer than promised.

The October 2025 breach happened through a third party vendor. The new age verification system relies on different third party vendors. The attack surface has not shrunk. It has shifted.

Discord's "age inference" option, which avoids ID submission entirely, uses behavioral data and account history to estimate age. While this avoids the document risk, it introduces a different privacy concern: building detailed behavioral profiles to categorize users, which can themselves be valuable targets for data brokers and advertisers.

The Bigger Pattern

Discord's decision reflects a growing trend of platforms collecting ever more personal data in the name of safety, while struggling to protect the data they already have. The same pattern plays out across the digital landscape: companies that cannot secure your email address, browsing history, or location data ask for your government ID, your face, and your biometrics.

Every piece of data you hand over becomes a permanent liability. Passwords can be changed. Credit cards can be reissued. But a government ID photo or a facial biometric template, once stolen, cannot be revoked. The 70,000 Discord users whose IDs were exposed in October 2025 will carry that risk indefinitely.

The principle extends to everyday privacy tools. Email tracking pixels collect data about you, your location, your device, your reading habits, without asking for consent. Each data point may seem minor, but in aggregate they build a profile that is difficult to undo. Blocking trackers at the source, whether in your inbox with tools like Gblock or in your browser with privacy extensions, remains the most reliable way to limit what companies can collect in the first place.