Communication platform Discord is beneath hearth after its identification verification software program, Persona Identities, was discovered to have frontend code accessible on the open web and on authorities servers.
Almost 2,500 accessible information have been discovered sitting on a U.S. government-authorized endpoint, researchers identified on X. The information confirmed Persona performed facial recognition checks in opposition to watchlists and screened customers in opposition to lists of politically uncovered individuals.
Along with verifying a person’s age, researchers discovered Persona performs 269 distinct verification checks, together with screening for “adverse media” throughout 14 completely different classes similar to terrorism and espionage. It then assigns danger and similarity scores to person info.
And the data was brazenly obtainable. “We didn’t even have to write or perform a single exploit, the entire architecture was just on the doorstep,” wrote the researchers of their weblog, including they discovered 53 megabytes of information on a Federal Threat and Authorization Administration Program (FedRAMP) authorities endpoint that additionally “tags reports with codenames from active intelligence programs.”
Discord has since introduced it’s chopping ties with Persona. The AI software program, partially funded by Palantir co-founder Peter Thiel’s enterprise agency Founders Fund, continues to supply age verification companies for OpenAI, Lime, and Roblox.
Each Persona and Discord confirmed to Fortune their partnership lasted for lower than a month and has since dissolved. Based on Discord, solely a small variety of customers have been a part of this take a look at, by which any info submitted could possibly be saved for as much as seven days earlier than it will be deleted.
Discord’s security overhaul missteps
This isn’t the primary time a third-party vendor has come beneath scrutiny for mishandling delicate person info for Discord, which is well-liked amongst avid gamers, college students, influencers, tech professionals and different communities.
Final yr, hackers accessed the federal government IDs to greater than 70,000 who had complied with its age-verification necessities.
In an announcement from Oct. 9, 2025, the corporate stated the assault was “not a breach of Discord, but rather a breach of a third party service provider, 5CA.” Discord acknowledged the breach affected solely customers who communicated with the corporate’s Buyer Help or Belief and Security groups.
And earlier this month, Discord confronted almost-immediate backlash after saying it will default all accounts to teen-safety settings. Customers in search of entry to further options can be required to confirm their age utilizing Persona.
“Rolling out teen-by-default settings globally builds on Discord’s existing safety architecture,” Discord’s Head of Product Coverage Savannah Badalich stated within the assertion. The corporate “will continue working with safety experts, policymakers, and Discord users to support meaningful, long-term wellbeing.”
However after customers rapidly identified the October information hack, Discord amended the assertion the next day to make clear that age verification would stay non-obligatory until customers wished to entry age-restricted servers and channels.
Discord stated it may decide the ages of most customers utilizing the “information we already have.” Most customers wouldn’t should add authorities IDs and as an alternative may go for video selfies.
“We offer multiple privacy-forward options through trusted partners,” the addendum acknowledged, including “facial scans never leave your device. Discord and our vendor partners never receive it.”
Any figuring out paperwork uploaded to Discord can be submitted to the platform’s third-party distributors and deleted rapidly. “In most cases, immediately after age confirmation,” learn the assertion.
“IDs are used to get your age only and then deleted,” it continued. “Discord only receives your age — that’s it. Your identity is never associated with your account.”
Nonetheless, a since-deleted model of Discord’s FAQ on age verification insurance policies seems to contradict the corporate’s claims about how lengthy authorities IDs are saved by the third-party vendor, on this case, Persona.
“Important: If you’re located in the UK, you may be part of an experiment where your information will be processed by an age-assurance vendor, Persona,” an archived model of the positioning reads. “The information you submit will be temporarily stored for up to 7 days, then deleted. For ID document verification, all details are blurred except your photo and date of birth, so only what’s truly needed for age verification is used.”
Persona will get private
Persona CEO and cofounder Rick Tune advised Fortune that the information weren’t a vulnerability, however as an alternative, publicly accessible frontend info. “What was found was uncompressed files of a front end that’s already on every single person’s device,” he stated, including the data is out there on the corporate’s assist heart and API documentation. “I don’t think having uncompressed files online is good,” Tune went on, however added the data discovered by the researcher is the uncompressed model of an organization’s compressed supply map on-line.
“I think this is one of these in which the contents of it seems scarier, but…internally, we didn’t consider this even a major vulnerability.”
Tune nonetheless considers the partnership between Persona and Discord to be a hit. “I think the performance of the product did incredibly well,” the CEO advised Fortune. “The reason why we were able to say that all data was redacted immediately is because the data was redacted; it had already been redacted upon processing. It’s not like it was due to the termination of the contract that we delete the data. It’s deleted immediately after a verification of the individual.”
Tune denied any ties to Palantir, ICE or the federal government, however stated the corporate goes by way of FedRAMP authorization. “We are trying to get FedRAMP and the goal of that is we do a lot of work for workforce security,” which makes use of an entire different set of data to substantiate an worker is who they are saying they’re, than in comparison with a person on a social media platform verifying their age.
In response to the 269 sorts of verification checks, these are all choices Persona affords, stated Tune, but it surely doesn’t essentially imply a consumer would wish all of them. In essence, the wants of a social media platform for age verification wouldn’t be the identical as an employer conducting a background test.
Tune was additionally attacked for his lack of personally identifiable info on-line. A person on X posted a screenshot of the CEO’s LinkedIn profile exhibiting Tune with a verified badge however missing a profile photograph. Persona handles LinkedIn’s identification verification requests.
In response, Tune wrote, “I am verified. That’s the entire point. It’s dystopian that we want people to facedox themselves to everyone to be real online. It’s ironic that folks posting about privacy want me to facedox to everyone.”
