![](\"https:\/\/fortune.com\/img-assets\/wp-content\/uploads\/2026\/02\/GettyImages-2261647012-e1771866643179.jpg?w=2048\")
<\/p>\n<\/p>\n
Communication platform Discord is under fire after its identity verification software, Persona Identities, was found to have frontend code accessible on the open internet and on government servers.\u00a0<\/p>\n
Nearly 2,500 accessible files were found sitting on a U.S. government-authorized endpoint, researchers pointed out on X. The files showed Persona conducted facial recognition checks against watchlists and screened users against lists of politically exposed persons.<\/p>\n
In addition to verifying a user\u2019s age, researchers found Persona performs 269 distinct verification checks, including screening for \u201cadverse media\u201d across 14 different categories such as terrorism and espionage. It then assigns risk and similarity scores to user information. <\/p>\n
And the information was openly available. \u201cWe didn\u2019t even have to write or perform a single exploit, the entire architecture was just on the doorstep,\u201d wrote the researchers in their blog, adding they found 53 megabytes of data on a Federal Risk and Authorization Management Program (FedRAMP) government endpoint that also \u201ctags reports with codenames from active intelligence programs.\u201d<\/p>\n
Discord has since announced it is cutting ties with Persona. The AI software, partially funded by Palantir co-founder Peter Thiel\u2019s venture firm Founders Fund, continues to provide age verification services for OpenAI, Lime, and Roblox.<\/p>\n
Both Persona and Discord confirmed to Fortune<\/em> their partnership lasted for less than a month and has since dissolved. According to Discord, only a small number of users were part of this test, in which any information submitted could be stored for up to seven days before it would be deleted. <\/p>\n Discord\u2019s safety overhaul missteps<\/strong><\/p>\n This isn\u2019t the first time a third-party vendor has come under scrutiny for mishandling sensitive user information for Discord, which is popular among gamers, students, influencers, tech professionals and other communities. <\/p>\n Last year, hackers accessed the government IDs to more than 70,000 who had complied with its age-verification requirements.\u00a0<\/p>\n In a statement from Oct. 9, 2025, the company said the attack was \u201cnot a breach of Discord, but rather a breach of a third party service provider, 5CA.\u201d Discord stated the breach affected only users who communicated with the company\u2019s Customer Support or Trust and Safety teams.<\/p>\n \u201cAt Discord, protecting the privacy and security of our users is a top priority. That\u2019s why it\u2019s important to us that we\u2019re transparent with them about events that impact their personal information,\u201d the statement added. Affected users received an email if their government IDs, IP addresses, or limited billing and corporate data were leaked.<\/p>\n And earlier this month, Discord faced almost-immediate backlash after announcing it would default all accounts to teen-safety settings. Users seeking access to additional features would be required to verify their age using Persona.<\/p>\n \u201cRolling out teen-by-default settings globally builds on Discord\u2019s existing safety architecture,\u201d Discord\u2019s Head of Product Policy Savannah Badalich said in the statement. The company \u201cwill continue working with safety experts, policymakers, and Discord users to support meaningful, long-term wellbeing.\u201d<\/p>\n But after users quickly pointed out the October data hack, Discord amended the statement the following day to clarify that age verification would remain optional unless users wished to access age-restricted servers and channels.\u00a0<\/p>\n Discord said it could determine the ages of most users using the \u201cinformation we already have.\u201d Most users would not have to upload government IDs and instead could opt for video selfies.<\/p>\n \u201cWe offer multiple privacy-forward options through trusted partners,\u201d the addendum stated, adding \u201cfacial scans never leave your device. Discord and our vendor partners never receive it.\u201d<\/p>\n Any identifying documents uploaded to Discord would be submitted to the platform\u2019s third-party vendors and deleted quickly. \u201cIn most cases, immediately after age confirmation,\u201d read the statement.\u00a0<\/p>\n \u201cIDs are used to get your age only and then deleted,\u201d it continued. \u201cDiscord only receives your age \u2014 that\u2019s it. Your identity is never associated with your account.\u201d<\/p>\n However, a since-deleted version of Discord\u2019s FAQ on age verification policies appears to contradict the company\u2019s claims about how long government IDs are stored by the third-party vendor, in this case, Persona.<\/p>\n \u201cImportant: If you\u2019re located in the UK, you may be part of an experiment where your information will be processed by an age-assurance vendor, Persona,\u201d an archived version of the site reads. \u201cThe information you submit will be temporarily stored for up to 7 days, then deleted. For ID document verification, all details are blurred except your photo and date of birth, so only what\u2019s truly needed for age verification is used.\u201d<\/p>\n Persona gets personal<\/strong><\/p>\n Persona CEO and cofounder Rick Song told Fortune <\/em>that the files were not a vulnerability, but instead, publicly accessible frontend information. \u201cWhat was found was uncompressed files of a front end that\u2019s already on every single person\u2019s device,\u201d he said, adding the information is available on the company\u2019s help center and API documentation. \u201cI don\u2019t think having uncompressed files online is good,\u201d Song went on, but added the information found by the researcher is the uncompressed version of a company\u2019s compressed source map online.<\/p>\n \u201cI think this is one of these in which the contents of it seems scarier, but\u2026internally, we didn\u2019t consider this even a major vulnerability.\u201d<\/p>\n Song still considers the partnership between Persona and Discord to be a success. \u201cI think the performance of the product did incredibly well,\u201d the CEO told Fortune<\/em>. \u201cThe reason why we were able to say that all data was redacted immediately is because the data was redacted; it had already been redacted upon processing. It\u2019s not like it was due to the termination of the contract that we delete the data. It\u2019s deleted immediately after a verification of the individual.\u201d<\/p>\n Song denied any ties to Palantir, ICE or the government, but said the company is going through FedRAMP authorization. \u201cWe are trying to get FedRAMP and the goal of that is we do a lot of work for workforce security,\u201d which uses a whole other set of information to confirm an employee is who they say they are, than compared to a user on a social media platform verifying their age. <\/p>\n In response to the 269 kinds of verification checks, these are all options Persona offers, said Song, but it does not necessarily mean a client would need all of them. In essence, the needs of a social media platform for age verification would not be the same as an employer conducting a background check.<\/p>\n Over the weekend, Song denied that Persona\u2014which also offers Know Your Customer (KYC) and Anti-Money Laundering (AML) solutions\u2014links facial biometrics to financial records or law enforcement databases. Song posted screenshots of an email exchange with the researcher \u201cCeleste\u201d on X, stating the researcher\u2019s implication of some connection between Persona, Palantir and ICE has led to threats against members of the company.<\/p>\n \u201cWe have no relationship whatsoever with ICE, Palantir,\u201d Song\u2019s screenshot of the email exchange read. The CEO added that some of the members of the company who have received backlash are new grads or people who have recently signed on. \u201cI don\u2019t think these people are the ones that the public\u2019s ire should be directed at, and if anyone, it should be directed at me.\u201d<\/p>\n Song was also attacked for his lack of personally identifiable information online. A user on X posted a screenshot of the CEO\u2019s LinkedIn profile showing Song with a verified badge but lacking a profile photo. Persona handles LinkedIn\u2019s identity verification requests.<\/p>\n In response, Song wrote, \u201cI am verified. That\u2019s the entire point. It\u2019s dystopian that we want people to facedox themselves to everyone to be real online. It\u2019s ironic that folks posting about privacy want me to facedox to everyone.\u201d<\/p>\n<\/div>\n #Discord #cuts #ties #Peter #Thielbacked #verification #software #code #surveillance<\/p>\n","protected":false},"excerpt":{"rendered":" Communication platform Discord… <\/p>\n","protected":false},"author":1,"featured_media":24683,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[4044,550,7698,3526,930,4605,1803,12462,1517,14275],"_links":{"self":[{"href":"https:\/\/microvibenews.com\/index.php?rest_route=\/wp\/v2\/posts\/24682"}],"collection":[{"href":"https:\/\/microvibenews.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microvibenews.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microvibenews.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microvibenews.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=24682"}],"version-history":[{"count":0,"href":"https:\/\/microvibenews.com\/index.php?rest_route=\/wp\/v2\/posts\/24682\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/microvibenews.com\/index.php?rest_route=\/wp\/v2\/media\/24683"}],"wp:attachment":[{"href":"https:\/\/microvibenews.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=24682"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microvibenews.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=24682"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microvibenews.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=24682"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}