Discord breach sparks privacy fears as proof-of-age IDs leak through third-party provider

Breach comes amid growing global efforts to enforce online age verification laws

Discord has admitted that a subset of users had their government ID images, such as passports and driver’s licences accessed by hackers.

Discord, the popular video game chat and community platform, confirmed that a data breach involving one of its third-party customer service providers exposed sensitive user information, including government-issued IDs submitted for age verification.

In a press release, the company said an “unauthorised party” gained access to data belonging to a “limited number of users” who had interacted with Discord’s customer service or trust and safety teams.

The compromised information includes usernames, email addresses, billing information, IP addresses, and customer support correspondence.

Although Discord assured users that no passwords, authentication tokens, or private messages outside of customer service interactions were affected, the platform admitted that a subset of users had their government ID images, such as passports and driver’s licences, accessed.

These IDs were shared with Discord for age verification purposes.

“If your ID may have been accessed, that will be specified in the email you receive,” the company said in its user notification.

Online age verification laws

The breach comes amid growing global efforts to enforce online age verification laws, which have prompted platforms like Discord to collect sensitive personal data.

Earlier this year, Discord began rolling out facial age assurance checks for users in the UK and Australia, in response to tightening regulations.

According to the company, images submitted for age verification are “deleted directly after” confirmation.

However, Discord’s website notes that when automated checks fail, users may contact its trust and safety team, where ID documents are manually reviewed, creating a potential data exposure point.

The UK’s Online Safety Act, which came into force in July 2025, requires social media and user-generated content platforms to prevent minors from accessing harmful material.

The legislation mandates platforms to take reasonable steps to verify users’ ages, with the goal of shielding children from pornography, self-harm content, and abusive behaviour.

Following the UK’s rollout of age verification laws, VPN usage reportedly surged as users sought to bypass checks.

Similar regulations are emerging in the United States. Louisiana led the charge in 2022 with a law mandating age verification for websites containing significant adult content.

Since then, several states have followed suit. Ohio’s law took effect on 30 September 2025, just days before Arizona enacted its own version.

Australia is also moving forward. Under a new “under-16 social media ban” set to begin on 10 December 2025, the government will require platforms like Discord to implement multiple methods of verifying users’ ages, and to provide appeal processes for those incorrectly flagged.

Critics warn of privacy risks

While governments cite child protection as the driving motivation, critics warn that such measures could backfire.

They argue that collecting and storing personal data such as government IDs creates “honeypots” for hackers, as the Discord breach illustrates.

Digital rights groups have also questioned whether these laws can achieve their goals.

With VPNs and identity workarounds easily available, many users may simply migrate to less-regulated platforms, undermining the intended protections.

Discord says it is reinforcing its security posture, reviewing relationships with third-party service providers, and working to improve data deletion practices around manual ID submissions.

The company has not confirmed how many users were affected, but it stressed that the scope of the breach was “limited.”

The company is advising users who receive a notification about potential ID exposure to monitor for signs of identity theft and to report any suspicious activity.

If you’re a current or aspiring cybersecurity leader check out the Computing Security Leaders Summit on March 26th 2026. Packed with content including business continuity planning, bridging the cyber skills gap and cloud resilience, its promises to be full of insight and practical advice to take away. Register here for your free place.