Online age checks are creating a goldmine of data for hackers

Many websites now have processes in place to verify the age of their users. These checks are performed in several ways. For example, AI can be used to analyze whether a person’s photo looks appropriate for the age threshold on the website.

In addition to providing a verified credit card, one option is to ask for a photo ID, such as a driver’s license or passport scan.

However, the amount of personal data required to complete age verification is a veritable gold mine for hackers.

Recent incidents have further highlighted privacy and security concerns regarding age verification. In October 2025, Discord, a social media and chat platform popular among gamers, was hacked and an unspecified amount of data was extracted.

However, the company said it has identified 70,000 users around the world whose photo IDs may have been exposed to hackers. Discord said the data was accessed through a third-party service provider, but it remains unclear how the breach occurred.

UK age verification checks were introduced by Discord to comply with online safety laws. The law requires websites that allow pornographic or harmful content to implement age checks by July 25, 2025.

In July 2025, the Tea app, which allows women to anonymously share information about the men they date for safety, was also hacked. A selfie and photo ID are required to register for the app. The breach reportedly resulted in these photos being leaked along with their content and messages.

serious consequences

These breaches highlight issues with websites’ privacy policies, security practices, and compliance with General Data Protection Regulation (GDPR) laws.

When Discord introduced age verification, its support website stated that it “does not permanently store personal identification documents or selfie videos.” It added: “Identification images and ID-matched selfies are deleted immediately after the age group is verified, and video selfies used for facial age estimation never leave the device.”

The consequences of such a breach can be severe. When selfies and photo ID images are leaked, users can be exposed to a variety of victims, including identity theft and fraud. The type of data being hacked also lends itself to particularly sophisticated forms of these crimes, especially given the availability of deepfake technology and generative AI tools.

In fact, third-party providers represent a consistent vulnerability that is persistently exploited by cybercriminals, as seen in the recent breaches of the UK Ministry of Defence, Co-op supermarkets and M&S.

The recent surge in age verification checks is part of a response to new laws such as France’s Digital Spatial Security Act, the European Commission’s Digital Services Act, and the UK and Australia’s Online Safety Act. These are all considered checks in which the user self-declares his or her age as unsuitable for the purpose. Instead, websites are required to use more effective methods, such as photo ID verification and credit card verification.

In a recent press release, the UK Department for Science, Innovation and Technology attempted to address cybersecurity and privacy concerns arising from these tests. The ministry’s guidance states that any measures taken by platforms to verify a user’s age must be done “without collecting or storing personal data unless absolutely necessary.”

This reiterates the rules of the EU’s GDPR law. Further guidance is provided by the UK Information Commissioner’s Office and regulator Ofcom.

However, the Tea and Discord breaches highlighted that regulators cannot actually prevent data retention or force data deletion. This is particularly relevant where the third party is located outside the UK.

This incident shows that the implementation and use of age verification requires real consideration. Further regulation of data processing with enforcement powers beyond mere guidance. This is necessary to protect your privacy, especially when third-party companies are involved.

This article is republished from The Conversation under a Creative Commons license. Read the original article.