Discord is cutting ties with its identity verification software, Persona Identities, after researchers revealed that Persona’s front-end code, including details about its extensive data screening capabilities, was openly accessible on U.S. government servers, as reported by Fortune. This is a pretty wild revelation, showing how deeply some of these verification tools can dig into user data.
Researchers, who posted their findings on X, uncovered nearly 2,500 accessible files sitting on a U.S. government-authorized endpoint. These files showed that Persona wasn’t just verifying ages; it was performing facial recognition checks against watchlists and screening users against lists of politically exposed persons.
Beyond age verification, Persona, which is partially funded by Palantir cofounder Peter Thiel’s venture firm Founders Fund, apparently conducts a whopping 269 distinct verification checks. This includes screening for “adverse media” across 14 different categories, from terrorism to espionage. Then, it assigns risk and similarity scores to user information.
What’s truly concerning is that all this information was just openly available
As the researchers put it in their blog, they “didn’t even have to write or perform a single exploit, the entire architecture was just on the doorstep,” finding 53 megabytes of data on a Federal Risk and Authorization Management Program (FedRAMP) government endpoint that even “tags reports with codenames from active intelligence programs.”
In response to these findings, Discord quickly announced it’s dissolving its partnership with Persona. Both companies confirmed to Fortune that their collaboration lasted less than a month. Discord stated that only a small number of users were part of this test, and any submitted information was supposed to be stored for a maximum of seven days before deletion.
This isn’t the first time Discord has faced issues with third-party vendors handling sensitive user information. Last year, hackers managed to access the government IDs of over 70,000 users who had complied with age-verification requirements. Discord clarified in an October 9, 2025 statement that this was a breach of a third-party service provider, 5CA, not Discord itself, and it affected users who communicated with their Customer Support or Trust and Safety teams.
They reassured users, saying, “At Discord, protecting the privacy and security of our users is a top priority.” Affected users were notified if their government IDs, IP addresses, or limited billing and corporate data were leaked.
Earlier this month, Discord also faced swift backlash after announcing that all accounts would default to teen-safety settings. Initially, this meant users wanting access to additional features would need to verify their age using Persona. Savannah Badalich, Discord’s head of product policy, said these settings “builds on Discord’s existing safety architecture.”
However, after users highlighted the previous October data hack, Discord quickly amended its statement the next day. They clarified that age verification would remain optional unless users wanted to access age-restricted servers and channels. Discord also said it could determine most users’ ages with “information we already have,” meaning most wouldn’t need to upload government IDs and could instead opt for video selfies. They even claimed “facial scans never leave your device. Discord and our vendor partners never receive it.”
But an archived, now-deleted version of Discord’s FAQ on age verification seems to contradict this, stating that for UK users in an experiment, information submitted to Persona could be stored for up to seven days.
Published: Feb 24, 2026 04:00 pm