Discord has confirmed that one of its third-party customer support providers experienced a security breach, resulting in the unauthorized access of some user data — including government-issued IDs.
The incident has reignited concerns about age verification laws across regions such as the UK, US, and the EU, where many users have turned to VPNs to avoid sharing sensitive information due to cybersecurity risks.
Cybersecurity experts have long warned that collecting personal data like government IDs is a “disaster waiting to happen,” arguing that platforms requiring such information for age checks are prime targets for hackers.
Discord’s case appears to support this warning. The company revealed that IDs accessed during the breach were submitted by users who had “appealed an age determination,” rather than those directly providing identification for verification.
The company explained that an “unauthorized party” infiltrated its third-party customer service system “to access user data, with a view to extort a financial ransom from Discord.”
The extent of compromised data varies by user, but may include:
- Name, Discord username, and email address
- Contact details and limited billing information
- IP address and correspondence with support agents
- Limited internal business data
- Government ID images
Discord clarified that credit card details, CCV codes, passwords, and chat messages were not affected. Users impacted by the breach will receive an official notification from noreply@discord.com
, and those whose ID images were accessed will be explicitly informed.
After discovering the incident, Discord revoked the vendor’s access to its ticketing system, initiated an internal investigation, and alerted law enforcement. The platform also reviewed and strengthened its security and monitoring systems for third-party partners.
Discord has urged affected users to “stay alert when receiving messages or other communication that may seem suspicious.”
The breach underscores the potential privacy risks tied to age verification laws, as the compromise of ID information demonstrates how easily sensitive data can become vulnerable. Although the stolen IDs were not taken from a dedicated age verification provider, the situation highlights the inherent dangers of sharing personal data with third-party services.
Critics maintain that users should not have to submit personal documents to access online platforms. While the laws aim to protect minors from harmful online content, privacy advocates suggest more secure alternatives exist.
Laura Tyrylyte, a privacy advocate at NordVPN, stated that “device-level controls are the most effective way to manage children's internet access,” citing parental control tools as examples that allow parents to block certain apps, set age limits, and manage downloads.
The UK’s Online Safety Act, implemented in July 2025, mandated nationwide age verification, which led to a surge in VPN usage as users sought to bypass the restrictions. In the US, 24 states have already enacted similar laws, with more expected to follow soon.