Persona age verification system exposed user data including ID documents and selfies

Sensitive user data like ID documents and selfies were exposed by the Persona age verification system, leading Discord to stop using the service.
By Newsroom | Technology, Cybersecurity |

Researchers have uncovered significant vulnerabilities in age verification systems used by platforms like Discord, leading to concerns about user privacy and potential data misuse. The exposed systems, particularly those provided by the vendor Persona, allowed access to sensitive user information, including identification documents and biometric data. These revelations follow a previous incident where 70,000 Discord users' IDs were compromised through a separate third-party vendor.

Hackers Expose Discord Age Verification System Issue After Persona Frontend Code Left Wide Open - 1

Security Lapses and Data Access

Security researchers have brought to light a critical issue concerning the Persona age verification system, which was briefly used by Discord.

Hackers Expose Discord Age Verification System Issue After Persona Frontend Code Left Wide Open - 2

  • A publicly accessible Persona frontend was discovered on a US government-authorized server.

  • Researchers found 2,456 files available for access on this exposed frontend.

  • The system, intended for age verification, is described as processing identity documents and selfies.

Persona's Role and Public Response

Persona provides identity verification services for several major online platforms, including Roblox, Discord, Reddit, and ChatGPT. The recent findings have prompted significant scrutiny.

Hackers Expose Discord Age Verification System Issue After Persona Frontend Code Left Wide Open - 3

  • Discord has stated it will not continue using Persona for age verification.

  • Persona CEO Rick Song has released email correspondence with security researchers regarding the allegations.

  • Researchers described the system as a "large-scale identity surveillance setup" that users were likely unaware of.

Previous Discord Data Breach

The concerns about Persona follow an earlier incident impacting Discord users.

Hackers Expose Discord Age Verification System Issue After Persona Frontend Code Left Wide Open - 4

  • In October 2025, hackers accessed a third-party service used by Discord for age verification.

  • This breach resulted in the potential exposure of identification documents belonging to approximately 70,000 users.

  • The compromised data included names, Discord usernames, email addresses, and other contact details.

Nature of the Exposed Persona System

The Persona system's architecture and the type of data it processes have raised specific alarms.

Read More: Uber Eats App Not Working in US and UK on Friday Causing Order Problems

  • The system outlines 269 distinct verification checks.

  • Researchers indicated that these checks involved direct government filings, rather than simple data integrations.

  • The presence of the system on dedicated infrastructure, separate from common cloud services, was noted as unusual.

Expert and User Reactions

The exposure of these vulnerabilities has led to widespread concern among users and security experts.

  • Users have expressed distrust regarding platforms handling sensitive personal information.

  • The trend of age verification legislation globally is seen as creating new targets for data exposure.

  • Experts advise users to be cautious of any application requesting biometric verification or government IDs.

Conflicting Narratives

While researchers have presented evidence of system vulnerabilities and potential surveillance, Persona has emphasized its privacy-focused approach.

  • Persona markets its tools as "privacy-focused compliance infrastructure."

  • CEO Rick Song has engaged in public correspondence to address the security researchers' findings.

  • The exact scale and intent of the data handling within the Persona system remain points of contention between researchers and the company.

Investigations and Future Implications

The revelations regarding Persona's exposed systems are under active investigation.

  • Discord has taken steps to end its relationship with Persona.

  • The incidents highlight the risks associated with third-party vendors handling sensitive user data.

  • Calls for stricter oversight and enhanced security protocols for identity verification systems are expected to increase.

Sources

Frequently Asked Questions

Q: What sensitive data was exposed by the Persona age verification system?
Researchers found that the Persona age verification system had a public frontend that exposed 2,456 files. These files contained sensitive user information, including identification documents and selfies used for age checks.
Q: Which platforms used the Persona age verification system?
Persona provides identity verification services to several large online platforms. These include Discord, Roblox, Reddit, and ChatGPT, although Discord has now stopped using Persona's services.
Q: Why did Discord stop using Persona for age verification?
Discord announced it would not continue using Persona for age verification after researchers uncovered significant vulnerabilities. These flaws allowed access to sensitive user data, raising privacy concerns.
Q: How does this Persona data exposure relate to the previous Discord data breach?
This incident follows a previous breach in October 2025 where hackers accessed a different third-party service used by Discord. That breach potentially exposed ID documents of around 70,000 Discord users, highlighting ongoing risks with age verification vendors.
Q: What did researchers say about the Persona system's design?
Researchers described the Persona system as a 'large-scale identity surveillance setup' that users were likely unaware of. They noted that the system involved 269 distinct verification checks, including direct government filings, and was hosted on unusual, dedicated infrastructure.
Q: What should users do if they are concerned about their data after these breaches?
Experts advise users to be cautious about any application that asks for biometric verification or government IDs. It is important to understand how platforms handle and protect sensitive personal information, especially when using third-party verification services.