First, but not the last? Discord suffers hack resulting in age verification IDs leak

We’ve never exactly been fans of the rising wave of age verification laws cropping up around the world, most recently and arguably prominently in the US and the UK. Over there, the Online Safety Act now forces platforms to verify the ages of their users, with some pretty harsh penalties for non-compliance.

Our issue — and that of many other privacy and security experts — with these age verification checks (and the platforms rolling them out) is simple: they force users to hand over even more of their highly sensitive personal information. We're talking ID images like driver’s licenses or passports. And when platforms storing this kind of sensitive data get hacked, especially if they’re hosting adult content, the consequences can be flat-out disastrous.

The UK’s Online Safety Act, which mandates “robust” age checks for online platforms, came into effect on July 25 this year. Discord, anticipating the deadline, started rolling out its age verification system early, beginning as far back as April 2025. That rollout started with a limited test that included face scanning to estimate users’ ages. When the law kicked in, the policy quickly expanded to cover all UK-based users.

A ticking time bomb

And — as you might’ve guessed — it was a ticking time bomb. Last week, Discord confirmed that a trove of users’ personal data handled by its third-party customer service provider had been breached. According to Discord, the attackers gained access to “a small number of government‑ID images (e.g., driver’s license, passport) from users who had appealed an age determination”.

Other data that fell into the hands of the hackers included:

  • Names, Discord usernames, emails, and other contact details (if provided to customer support)
  • Limited billing info, like the type of payment method, last four digits of credit cards, and purchase history (if linked to your account)
  • IP addresses
  • Messages exchanged with Discord’s customer service team
  • Some internal corporate docs (training material, internal presentations)

Discord said that this data was exposed in the September 20 attack, saying that the hackers demanded a ransom from Discord so that they did not leak the data. According to BleepingComputer, the third-party support provider in question was Zendesk, a popular customer service platform used by many large companies.

In the aftermath of the attack, Discord said that it revoked the support provider’s access to the ticketing system, engaged computer forensics experts, and launched an internal investigation.

It’s unclear how many users exactly were affected in the incident, but Discord has about 250 million monthly active users. At the same time, the age verification checks fully apply only to the UK-based users, where they are mandatory. Discord itself has been testing what it calls “age assurance” in other regions, such as reportedly Australia. That means that while this is still limited for now, age verification is on track to become a widespread practice — and that’s exactly why we want to zero in on it.

Play by the rules, get your ID leaked

Normally, to create an account on an online platform, you don’t hand over your government ID — so how did ID photos end up in the hands of Discord’s third-party provider, and, eventually, hackers?

To blame is the newly-installed age verification system in place in Discord. According to Discord’s guidelines, there are only two ways to prove your “age group”: either scan your face, or upload a scan of your ID document. Faced with picking the lesser of two evils, most users likely go for the selfie over handing in a government-issued ID. Some go even more creative — like trying to bypass Discord’s checks with screenshots from Death Stranding’s in-game photo mode. But if you’re trying to play by the book, you’ll end up submitting either your face or your ID.

Discord age verification screen

And it’s those law-abiding users — the ones who did what they were told — that ended up in the crosshairs of the latest breach. Discord claims the system is built with privacy in mind, and that no identification documents or video selfies are permanently stored:

“Discord and k-ID (Discord’s verification service provider) do not permanently store personal identity documents or your video selfies. The image of your identity document and the ID face match selfie are deleted directly after your age group is confirmed, and the video selfie used for facial age estimation never leaves your device.”

We have to take them at their word here: that the data is deleted immediately after use. But there’s a catch: if the system fails to verify your age (which, let’s be real, isn’t that rare — age estimation tech isn’t exactly foolproof), users are directed to contact Discord’s Trust and Safety team. And that’s when they’re asked to submit their ID or a selfie again. Those are the photos and IDs that were leaked.

The real cost of compliance

Unfortunately for Discord — and for every other platform being pushed to roll out similar systems — this is just the beginning. The more personal data platforms are forced to collect just so users can log in, the more opportunities there will be for leaks, breaches, and exploitation. The attack surface keeps growing.

The rule of thumb (as always) is this: minimize how much personal data you hand over online. Whether it’s a website, app, or platform, the less you give them, the less can be leaked.

In this case, that might mean using a workaround like connecting to a VPN server in a country where age verification laws aren’t mandatory (yet). But how long that trick will work is anyone’s guess.

Hopefully, incidents like this serve as a wake-up call. Hopefully big tech and other platforms will start pushing back instead of just rolling over and complying. Because right now, the price of compliance is starting to look dangerously high.

Liked this post?
19,693 19693 user reviews
Excellent!

AdGuard for Windows

AdGuard for Windows is more than an ad blocker. It is a multipurpose tool that blocks ads, controls access to dangerous sites, speeds up page loading, and protects children from inappropriate content.
By downloading the program you accept the terms of the License agreement
Read more
AdGuard for Windows v7.22, 14-day trial period
19,693 19693 user reviews
Excellent!

AdGuard for Mac

AdGuard for Mac is a unique ad blocker designed with macOS in mind. In addition to protecting you from annoying ads in browsers and apps, it shields you from tracking, phishing, and fraud.
By downloading the program you accept the terms of the License agreement
Read more
AdGuard for Mac v2.17, 14-day trial period
19,693 19693 user reviews
Excellent!

AdGuard for Android

AdGuard for Android is a perfect solution for Android devices. Unlike most other ad blockers, AdGuard doesn't require root access and provides a wide range of app management options.
By downloading the program you accept the terms of the License agreement
Read more
Scan to download
Use any QR-code reader available on your device
AdGuard for Android v4.12, 14-day trial period
19,693 19693 user reviews
Excellent!

AdGuard for iOS

The best iOS ad blocker for iPhone and iPad. AdGuard eliminates all kinds of ads in Safari, protects your privacy, and speeds up page loading. AdGuard for iOS ad-blocking technology ensures the highest quality filtering and allows you to use multiple filters at the same time
By downloading the program you accept the terms of the License agreement
Read more
Scan to download
Use any QR-code reader available on your device
AdGuard for iOS v4.5
19,693 19693 user reviews
Excellent!

AdGuard Content Blocker

AdGuard Content Blocker eliminates all kinds of ads in mobile browsers that support content-blocking technology — namely, Samsung Internet and Yandex Browser. Its features are limited compared to AdGuard for Android, but it is free, easy to install, and efficient
By downloading the program you accept the terms of the License agreement
Read more
AdGuard Content Blocker v2.8
19,693 19693 user reviews
Excellent!

AdGuard Browser Extension

AdGuard is the fastest and most lightweight ad blocking extension that effectively blocks all types of ads on all web pages! Choose AdGuard for the browser you use and get ad-free, fast and safe browsing.
AdGuard Browser Extension v5.2
19,693 19693 user reviews
Excellent!

AdGuard Assistant

A companion browser extension for AdGuard desktop apps. It offers an in-browser access to such features as custom element blocking, allowlisting a website or sending a report.
AdGuard Assistant v1.4
19,693 19693 user reviews
Excellent!

AdGuard Home

AdGuard Home is a network-based solution for blocking ads and trackers. Install it once on your router to cover all devices on your home network — no additional client software required. This is especially important for various IoT devices that often pose a threat to your privacy
AdGuard Home v0.107
19,693 19693 user reviews
Excellent!

AdGuard Pro for iOS

AdGuard Pro for iOS comes with all the advanced ad-blocking protection features enabled. It offers the same tools as the paid version of AdGuard for iOS. It excels at blocking ads in Safari and lets you customize DNS settings to tailor your protection. It blocks ads in browsers and apps, protects your kids from inappropriate content, and keeps your personal data safe
By downloading the program you accept the terms of the License agreement
Read more
AdGuard Pro for iOS v4.5
19,693 19693 user reviews
Excellent!

AdGuard for Safari

Our ad blocker for Safari has successfully risen to the challenge of Apple forcing everyone to use its new SDK. This AdGuard extension aims to bring back high-quality ad blocking to Safari
AdGuard for Safari v1.11
19,693 19693 user reviews
Excellent!

AdGuard for Android TV

AdGuard for Android TV is the only app that blocks ads, guards your privacy, and acts as a firewall for your Smart TV. Get warnings about web threats, use secure DNS, and benefit from encrypted traffic. Relax and dive into your favorite shows with top-notch security and zero ads!
AdGuard for Android TV v4.12, 14-day trial period
19,693 19693 user reviews
Excellent!

AdGuard for Linux

AdGuard for Linux is the world’s first system-wide Linux ad blocker. Block ads and trackers at the device level, select from pre-installed filters, or add your own — all through the command-line interface
AdGuard for Linux v1.1
19,693 19693 user reviews
Excellent!

AdGuard Temp Mail

A free temporary email address generator that keeps you anonymous and protects your privacy. No spam in your main inbox!
19,693 19693 user reviews
Excellent!

AdGuard VPN

83 locations worldwide

Access to any content

Strong encryption

No-logging policy

Fastest connection

24/7 support

Try for free
By downloading the program you accept the terms of the License agreement
Read more
19,693 19693 user reviews
Excellent!

AdGuard DNS

AdGuard DNS is a foolproof way to block Internet ads that does not require installing any applications. It is easy to use, absolutely free, easily set up on any device, and provides you with minimal necessary functions to block ads, counters, malicious websites, and adult content.
19,693 19693 user reviews
Excellent!

AdGuard Mail

Protect your identity, avoid spam, and keep your inbox secure with our aliases and temporary email addresses. Enjoy our free email forwarding service and apps for all operating systems
19,693 19693 user reviews
Excellent!

AdGuard Wallet

A secure and private crypto wallet that gives you full control over your assets. Manage multiple wallets and discover thousands of cryptocurrencies to store, send, and swap
Downloading AdGuard To install AdGuard, click the file indicated by the arrow Select "Open" and click "OK", then wait for the file to be downloaded. In the opened window, drag the AdGuard icon to the "Applications" folder. Thank you for choosing AdGuard! Select "Open" and click "OK", then wait for the file to be downloaded. In the opened window, click "Install". Thank you for choosing AdGuard!
Install AdGuard on your mobile device