Just 4 months after hackers stole 70,000 government IDs from Discord’s age verification system, the platform is demanding even more sensitive data from every user worldwide.

Discord announced on February 9, 2026 that it’s implementing mandatory age verification globally starting in March 2026. Every user—all 200+ million of them—will be defaulted to a “teen-appropriate experience” unless they prove they’re adults through facial scans or government ID submission.

Discord Breach Update: Threat Actor Claims 2.1 Million Government IDs Stolen in Massive 1.5TB Data Haul

The timing couldn’t be worse. In October 2025, hackers breached a Discord third-party vendor and made off with at least 70,000 images of government-issued IDs. Some security researchers believe the actual number could be far higher—the attackers claimed to have stolen 2.1 million ID photos.

Now Discord wants to collect this data from everyone.

What’s Changing

Starting in early March 2026, Discord will implement what it calls “Teen-by-Default” settings for all users worldwide:

If you don’t verify your age, you’ll face these restrictions:

  • No access to age-restricted servers and channels—even ones you’re already in- Age-restricted servers you belong to will be “obfuscated” with a black screen- Content filters automatically enabled for “graphic or sensitive” material- Cannot speak on stage in servers- Warning prompts for friend requests from unknown users- DMs from unknown users filtered into a separate inbox- Cannot modify certain privacy settings

To prove you’re an adult, Discord gives you two options:

  1. Facial age estimation – Record a video selfie that AI analyzes to guess your age2. Government ID submission – Upload your passport, driver’s license, or other official ID

Discord says some users “may be asked to use multiple methods” if one isn’t sufficient.

The Privacy Problem

Discord claims the facial age estimation happens entirely on your device—the video selfie “never leaves” your phone. But that reassurance rings hollow given what we know about their security track record.

For ID verification, Discord partners with a company called k-ID, which itself works with a Swiss company called Privately for facial analysis. The privacy policies are murky at best.

“The wording is pretty unclear and inconsistent even if you dig down to the k-ID privacy policy,” one concerned user noted after reviewing the documentation. “Everywhere along the chain it reads like ‘we don’t collect your data, we forward it to someone else…’”

Discord says IDs submitted to their vendor partners “are deleted quickly—in most cases, immediately after age confirmation.” But we’ve heard that before.

The October 2025 Breach: A Warning Ignored

On October 3, 2025, Discord disclosed that hackers had compromised one of its third-party customer service providers and stolen sensitive user data. According to Discord’s own disclosure, the breach exposed:

  • At least 70,000 government ID images (passports, driver’s licenses)- Names, Discord usernames, email addresses- Messages and conversation transcripts with support agents- Limited billing and payment metadata- IP addresses associated with support interactions

The breach started on September 20, 2025, when attackers compromised a support agent’s account. They had access to Discord user data for approximately 58 hours.

The hackers initially demanded a $5 million ransom, later reduced to $3.5 million. Discord refused to pay.

But here’s the concerning part: the attackers, a cybercrime group called Scattered LAPSUS$ Hunters, claimed they actually stole 1.5 terabytes of data from 5.5 million users, including over 2.1 million photos of government IDs. The third-party vendor (5CA) denied that it handled government IDs at all—while simultaneously admitting the incident “potentially resulted from human error.”

Someone isn’t telling the truth. Either way, the outcome is the same: sensitive government identification documents are now in criminal hands.

Discord Hit by Third-Party Customer Service Data Breach: Government IDs and User Data Exposed

Digital Rights Groups Have Been Warning About This

The Electronic Frontier Foundation (EFF) and other digital rights organizations have long opposed age verification mandates, arguing they create massive honeypots of sensitive data that will inevitably be breached.

“The best advice for people who have submitted IDs to Discord or any other service is to assume they have been or soon will be stolen by hackers and put up for sale or used in extortion scams,” warned Ars Technica’s Senior Security Editor after the October breach.

The Discord breach proved these warnings prescient. Now, with global age verification, the target on Discord’s back just got exponentially larger.

”This Is How Discord Dies”

User reaction has been swift and overwhelmingly negative. On Reddit, hundreds of users condemned the decision:

“Hell, Discord has already had one ID breach, why the f*** would anyone verify on it after that?”

“Seriously, uploading any kind of government ID to a 3rd party company is just asking for identity theft on a global scale.”

“This is how Discord dies.”

Discord seems aware they’re going to lose users over this. “We do expect that there will be some sort of hit there,” acknowledged Savannah Badalich, Discord’s head of product policy, “and we are incorporating that into what our planning looks like. We’ll find other ways to bring users back.”

The Death Stranding Loophole

When Discord first rolled out age verification in the UK last year, users discovered a creative workaround: using Death Stranding’s photo mode. The video game’s character creator allowed users to generate convincing enough fake selfies to fool Discord’s AI age estimation.

Discord claims they “immediately fixed it after a week,” but acknowledged users “will continue finding creative ways to try getting around the age checks.”

This highlights a fundamental problem with age verification: it creates an arms race between platforms trying to verify identity and users trying to maintain their privacy.

What You Can Do

If you want to avoid age verification:

  • Accept the “teen-appropriate” experience and restricted features- Consider migrating to alternative platforms before the March rollout- Use Discord primarily for non-age-restricted content

If you must verify:

  • Use facial age estimation over ID submission if possible (less data exposure)- Review k-ID’s and Privately’s privacy policies- Consider using a fresh photo rather than one that matches other online accounts- Assume any data you submit could eventually be breached

General privacy hygiene:

  • Use email aliases for Discord- Don’t store sensitive information in Discord messages- Consider using a VPN when accessing Discord- Regularly review and revoke third-party app connections

The Bigger Picture

Discord’s move is part of a global wave of age verification mandates driven by child safety legislation. Similar systems have been implemented by Roblox and YouTube. The UK’s Online Safety Act and Australia’s age verification requirements are pushing platforms to collect this data.

But the Discord breach demonstrates the fundamental flaw in this approach: any system that collects government IDs creates a high-value target for hackers. The question isn’t if the data will be breached—it’s when.

Proton, the privacy-focused email provider, put it bluntly: “That a social media platform used primarily by gamers feels a need to collect this information shows how far the mission creep of age verification laws, whose stated purpose is to protect kids from pornography, has already spread.”

We’re trading one set of risks (children accessing adult content) for another (mass identity theft). Four months after the largest age verification breach in Discord’s history, the platform’s response is to collect even more of the exact same data that was stolen.

Discord users worldwide now face a choice: hand over their face or ID to a company with a proven track record of losing that data, or accept a permanently restricted experience on a platform they may have used for years.

Neither option is good. Both are by design.

Sources:

🎧 Related Podcast Episode