Discord is pressing forward with government ID checks for users in new regions, even after a major customer-support breach in October 2025 exposed sensitive identity documents belonging to tens of thousands of people.
The expansion of its age-verification system reflects growing pressure under the United Kingdom’s Online Safety Act, a law that effectively compels platforms to collect and process personal identification data in order to comply with its censorship and content-control mandates.
The October 2025 incident highlighted exactly why such measures alarm privacy advocates.
Around 70,000 Discord users had images of government-issued IDs leaked after attackers gained access to a third-party customer service system tied to the company.
The hackers claim to have extracted as much as 1.6 terabytes of information, including 8.4 million support tickets and over 100 gigabytes of transcripts.
Discord disputed the scale but admits the breach stemmed from a compromised contractor account within its outsourced Zendesk environment, not its own internal systems.
Despite the exposure, Discord continues to expand mandatory age-verification. The company’s new “privacy-forward age assurance” program is now required for all UK and Australian users beginning December 9, 2025.
Users must verify that they are over 18 to unblur “sensitive content,” disable message-request filters, or enter age-restricted channels.
Verification occurs through the third-party vendors k-ID and, in some UK cases, Persona, which process either a government ID scan or a facial-analysis selfie to confirm age.
More: Tea App Leak Shows Why UK’s Digital ID Age Verification Laws are Dangerous
Discord says that data is deleted once the age group is confirmed and that selfies used for facial estimation never leave the device.
The company insists this complies with new national laws such as the UK’s Online Safety Act and Australia’s Social Media Minimum Age Act, both of which impose legal obligations on platforms to block access to material deemed unsuitable for minors.
Yet the system effectively normalizes document-based surveillance of everyday users, often without their direct consent to vendor storage. Persona, one of Discord’s verification partners, retains submitted data for up to seven days before deletion.
The 2025 breach makes these government requirements look especially reckless. It demonstrated how fragile supposedly “privacy-protective” verification chains can be once multiple third-party vendors hold fragments of ID records.
Government pressure to enforce identity verification has forced platforms like Discord to collect data that, once compromised, cannot be retrieved or anonymized.
