Grave consequences: New privacy risks as hacks breach age data

A variety of websites now have processes designed to verify the ages of their users. These checks are carried out in several ways. For instance, AI can be used to analyse whether a photo of a person looks old enough for the age threshold on a website.

Asking for photo ID, such as a scan of a person’s driving licence or passport, is another method, along with asking for a verified credit card.

But the personal data collected during these checks forms a rich target for hackers. Recent incidents have exposed the privacy and security risks that come with age verification systems.

In October 2025, Discord, the social and chat platform popular among gamers, was hacked. The company said it identified about 70,000 users worldwide whose photo IDs may have been accessed through a third-party service provider, though it remains unclear how the breach occurred. The system had been introduced in the UK to comply with the Online Safety Act, which required websites hosting pornography or harmful content to implement age verification by July 25, 2025.

Just months earlier, the Tea app—which lets women anonymously share information about men they date—was also compromised. Tea requires a selfie and photo ID at registration; the hack reportedly exposed these images along with private messages and content.

Both cases have raised questions about compliance with privacy policies, data protection standards and GDPR. When Discord launched its verification system, the company claimed it did “not permanently store personal identity documents or video selfies,” stating that such images were deleted once a user’s age group was confirmed, and that facial analysis data “never leaves your device.”

Despite such assurances, the consequences of leaks can be severe. Exposed selfies and ID scans can lead to identity theft and fraud, especially as generative AI and deepfake tools make it easier to exploit this kind of data. Third-party processors remain a consistent weak point, repeatedly targeted in cyberattacks—including recent breaches of the UK Ministry of Defence, Co-op and Marks & Spencer.

The spread of age verification checks reflects growing global regulation. France’s Security and Regulation of the Digital Space law, the EU Digital Services Act, and the Online Safety Acts in the UK and Australia all deem self-declared age checks inadequate. Instead, they require stricter systems, such as ID matching or verified payment methods.

In response to privacy concerns, the UK’s Department for Science, Innovation and Technology has advised that platforms must confirm users’ ages “without collecting or storing personal data, unless absolutely necessary.” The principle mirrors existing EU GDPR rules, echoed by guidance from the Information Commissioner’s Office and Ofcom.

Even so, the Discord and Tea breaches show that regulators struggle to enforce data deletion or prevent retention, particularly when third-party providers operate abroad.

The incidents point to a deeper flaw: the very systems meant to protect users from harmful content now risk exposing them to new harms. Stronger oversight of data handling — with enforceable penalties, not just advisory guidance — is essential if privacy is to be safeguarded in an era where verification itself has become a security risk.

Tsagas is Senior Lecturer in Law, Cybercrime & AI Ethics, University of East London

The Conversation