Discord faces backlash over age checks after data breach exposed 70,000 IDs
Here’s a tidy version of the markdown, with proper spacing and heading hierarchy:
> **Source:** [Ars Technica](https://arstechnica.com/tech-policy/2026/02/discord-faces-backlash-over-age-checks-after-data-breach-exposed-70000-ids/)
# Trust Issues- The blockquote now has a blank line after it, keeping the source citation distinct.
- The heading is left as a top‑level (
#) heading, but you can change it to##or deeper if it fits better within the surrounding document structure.
Discord’s New Age‑Verification Policy
What’s changing?
Discord will soon require every user to verify their age before accessing adult content. Verification can be done by one of two methods:
- Facial‑structure analysis – a video selfie processed locally on the device.
- Government‑ID upload – the ID is checked off‑device, while the selfie never leaves the user’s device.
Data‑handling claims
- Both the selfie and ID data are deleted immediately after an age estimate is produced.
- The AI that performs the age check runs on the user’s device; only the final age group is stored on Discord’s servers.
Roll‑out timeline
- A phased global rollout will start in early March.
- After rollout, all accounts will default to a “teen‑appropriate” experience.
User experience
- Most users will need to verify once.
- Some may be asked to use multiple methods if additional information is required to assign an age group.
Community Backlash
Privacy Concerns
-
Recent breach – In October 2025, hackers stole government IDs of 70,000 Discord users from a third‑party verification service used in the UK and Australia.
- Discord’s statement: the stolen data was intended for extortion.
- Ars Technica (Dan Goodin) warned that anyone who has submitted IDs should assume the data may already be compromised.
-
Fear of becoming a bigger target – Collecting more sensitive data (face scans, IDs) could make Discord an even more attractive target for attackers.
Reddit Reactions
-
r/pcgaming – After The Verge broke the news, users wrote:
“Discord has already had one ID breach; why would anyone verify on it after that?”
“This is how Discord dies. Uploading any kind of government ID to a third‑party company is just asking for identity theft on a global scale.”
-
r/discordapp – Many users pledged never to submit selfies or IDs, accusing Discord of downplaying privacy risks while harvesting data.
Sources
- Discord press release: Discord launches teen‑by‑default settings globally
- Ars Technica report on the breach: Discord says hackers stole government IDs of 70,000 users
- Discord security‑incident update: Update on security incident involving third‑party customer service
- The Verge coverage: Discord age verification global roll‑out
- Reddit discussions:
The article has been cleaned up for readability while preserving all original information and links.
Who Can Access Discord Age‑Check Data?
Discord says its system ensures that only users have access to their age‑check data and that the information never leaves their phones. After a recent breach, Discord partnered with k‑ID, an increasingly popular age‑verification provider also used by Meta and Snap, to tighten security.
Reddit users remain skeptical. One user noted that the wording in k‑ID’s privacy policy is “pretty unclear and inconsistent,” suggesting that ID scans might be uploaded to k‑ID servers, deleted, and then possibly shared with “trusted 3rd parties” for verification. The same user summed it up as:
“Everywhere along the chain it reads like ‘we don’t collect your data, we forward it to someone else…’”
Discord did not immediately respond to requests for comment on how age checks work without data leaving the device.
What the Policies Say
k‑ID states that its “facial age estimation” tool is provided by a Swiss company called Privately. Key points from the policy:
- “We don’t actually see any faces that are processed via this solution.”
- “Neither k‑ID nor its service providers collect any biometric information from users when they interact with the solution. k‑ID only receives and stores the outcome of the age‑check process.”
A k‑ID spokesperson clarified:
“The Facial Age Estimation technology runs entirely on the user’s device in real time when they are performing the verification. No video or image is transmitted; only a pass/fail result (and some non‑personal performance metrics) leaves the device.”
“k‑ID does not receive personal data from Discord when performing age‑assurance. This is an intentional design choice grounded in data‑protection and data‑minimisation principles. There is no storage of personal data by k‑ID or any third parties, regardless of the age‑assurance method used.”
Privately’s Role
Privately’s website provides additional detail on on‑device age estimation:
- The service is built to minimise data collection and comply with the EU’s General Data Protection Regulation (GDPR).
- “No user biometric or personal data is captured or transmitted.”
- The technology runs on edge‑AI models that operate locally on the user’s device or browser, avoiding cloud transmission.
From Privately’s privacy policy:
“Our technology is built using on‑device edge‑AI that facilitates data minimisation so as to maximise user privacy and data protection. The machine‑learning‑based technology processes user data on their own devices, thereby avoiding the need for us or our partners to export personal data to any cloud services.”
Privately also employs a double‑blind implementation, meaning it only knows the result of an age check and cannot link that result to a specific user or platform.
Bottom Line
| Party | Claim about Data Flow | What Actually Leaves the Device |
|---|---|---|
| Discord | Age‑check data never leaves the user’s device. | Pass/fail result (no raw image/video). |
| k‑ID | Verification runs locally; only outcome is sent to Discord. | Pass/fail result + non‑personal performance metrics. |
| Privately | On‑device edge‑AI; no biometric data is transmitted or stored. | No biometric data; only the age‑check outcome. |
- The policies aim to reassure users, but the lack of unified, crystal‑clear language across the parties leaves some uncertainty about who ultimately has access to the age‑verification results.
Discord expects to lose users
Some Discord users may never be asked to verify their ages, even if they try to access age‑restricted content. Savannah Badalich, Discord’s global head of product policy, told The Verge that Discord “is also rolling out an age inference model that analyzes metadata, like the types of games a user plays, their activity on Discord, and behavioral signals like signs of working hours or the amount of time they spend on Discord.”
“If we have a high confidence that they are an adult, they will not have to go through the other age verification flows,” Badalich said.
Badalich confirmed that Discord is bracing for some users to leave the platform over the update but suggested that “we’ll find other ways to bring users back.”
On Reddit, Discord users complained that age verification is easy to bypass, forcing adults to share sensitive information without keeping kids away from harmful content. In Australia, where Discord’s policy first rolled out, some kids claimed that Discord never even tried to estimate their ages, while others found it easy to trick the system by using AI‑generated videos or altering their appearances to look older. A teen girl relied on fake eyelashes to do the trick, and a 13‑year‑old boy was estimated to be over 30 after scrunching his face to seem more wrinkled.
Badalich told The Verge that Discord doesn’t expect the tools to work perfectly but acts quickly to block workarounds, like teens using Death Stranding’s photo mode to skirt age gates. However, questions remain about the accuracy of Discord’s age‑estimation model, especially in assessing minors’ ages.
Privately claims its technology is “proven to be accurate to within 1.3 years for 18‑20‑year‑old faces, regardless of a customer’s gender or ethnicity.” Yet experts told Ars Technica last year that flawed age‑verification technology still frequently struggles to distinguish minors from adults, particularly when differentiating between a 17‑ and an 18‑year‑old.
Discord’s prior scandal involved hackers stealing government IDs that users shared as part of the appeal process to correct an incorrect age estimation. Appeals could remain the most vulnerable part of this process, according to The Verge. Badalich confirmed that a third‑party vendor would review appeals, with the only reassurance that IDs shared during appeals “are deleted quickly—in most cases, immediately after age confirmation.”
On Reddit, Discord fans awaiting the changes remain upset. One disgruntled user suggested that “corporations like Facebook and Discord will implement the cheapest possible, bare‑minimum‑under‑the‑law verification to cover their ass from a lawsuit,” while forcing users to trust that their age‑check data is secure.
Another user joked that she’d be more willing to trust that selfies never leave a user’s device if Discord were “willing to pay millions to every user whose scan does leave a device.”
This story was updated on February 9 to clarify that government IDs are checked off‑device.
About the author
Ashley Belanger is a senior policy reporter for Ars Technica, dedicated to tracking the social impacts of emerging policies and new technologies. She is a Chicago‑based journalist with 20 years of experience.
Comments
44 Comments
Most Read
