Over the past year, a growing list of apps and websites have started asking for something they never used to require: a photo of your government-issued ID, or a live selfie to match against it. This isn’t a single company’s idea — it’s the result of age-verification laws spreading across multiple countries and U.S. states, all aimed at restricting minors’ access to certain content and platforms.
The intent behind these laws is straightforward enough. The execution creates a new category of personal data exposure that most users haven’t had to think about before: a clear photo of your face, paired with your legal name, date of birth, address, and ID number, uploaded to a platform — or more often, to a third-party vendor working on that platform’s behalf.
A 2026 incident involving Discord and one of its verification vendors is a useful case study in exactly how this can go wrong.
What Happened With Discord’s ID Verification
In late 2025, Discord disclosed that an unauthorized party had compromised one of its third-party customer service vendors, a company called 5CA. That vendor had been used to review age-related appeals — cases where a user disputed an age restriction and submitted a government ID to prove they were old enough.
Roughly 70,000 users had their government ID photos exposed as part of this breach. A group calling itself “Scattered Lapsus$ Hunters” claimed responsibility and attempted to extort Discord for ransom over the stolen data.
The detail worth sitting with: these were not 70,000 people who had done anything wrong. They were users who had been asked to prove their age, complied by uploading an ID, and had that ID photo sitting in a vendor’s systems — a vendor most of them had never heard of — when it was breached.
Four months later, Discord rolled out a much broader age-verification requirement, asking all 200 million users to either submit a video selfie or upload a government ID through a third-party verification provider, in order to access certain content or modify safety settings. The breach didn’t stop the expansion of ID-based verification — it happened in the middle of it.
Why This Is a Different Kind of Exposure
People are generally more careful with documents they recognize as “sensitive” — passports, tax forms, medical records. ID verification for an app doesn’t always register the same way, for a few reasons:
It’s framed as a safety feature. Age verification is presented — accurately — as a child-safety measure. That framing makes the upload feel like compliance with a good cause, which can lower the guard people would normally apply to handing over a photo ID.
The recipient often isn’t the platform itself. As the Discord case shows, ID verification is frequently outsourced to third-party vendors specializing in identity checks. You’re uploading your ID to a company you didn’t choose, didn’t research, and may never be told the name of — your relationship is with the platform, but your data’s custodian is whoever the platform contracted with.
It combines several high-value data points at once. A government ID photo contains your full legal name, date of birth, document number, and often your address — paired with a live selfie that confirms the face matches. That combination is close to a complete identity-theft starter kit, and it’s now sitting in a database somewhere you have limited visibility into.
It’s becoming routine, not exceptional. When ID verification was rare — for opening a bank account, say — people treated it as a significant moment. When dozens of apps and websites all start asking for the same thing within a short span, each individual request feels smaller, even though the cumulative exposure grows with every service that now holds a copy.
The Regulatory Trend Isn’t Slowing Down
Age-verification requirements are expanding because of legislation, not because platforms independently decided to add friction. The UK’s Online Safety Act, various U.S. state laws, and similar regulations in other jurisdictions are pushing platforms toward “robust” age-verification methods — and a photo ID or biometric selfie check is one of the most common ways platforms choose to comply, because it’s harder to circumvent than a self-reported birthdate.
This means the trend is structural, not a passing phase. If anything, more platforms — social networks, content sites, even some shopping and gaming services — are likely to add ID-based verification over time as more jurisdictions pass similar laws. The practical reality is that most people will be asked to upload a government ID to a consumer app more often in the coming years, not less.
What You Can Actually Control
You generally can’t refuse age verification if you want to use a platform that requires it — that’s the point of the regulation. But there are things within your control around how you handle the documents involved.
Understand the verification method before you use it. Some verification flows are designed so the ID photo is checked against an algorithm and then discarded, without a human ever seeing it or the image being retained. Others are reviewed manually and stored for some retention period. The platform’s help center or privacy policy usually describes which model is in use — it’s worth the two minutes to check before uploading, especially for platforms you’ll need to verify repeatedly.
Use the minimum document necessary. If a platform accepts multiple ID types and one reveals less information than another (for example, a document without your home address), use that one when you have the choice.
Don’t leave a copy of your ID sitting in your camera roll. Many people photograph their ID once and then reuse that photo for every verification request that comes along — which means a single photo, originally taken for one purpose, ends up uploaded to multiple unrelated services over time, each retaining its own copy indefinitely. If you need to keep a digital copy of an ID for repeated use, store it somewhere under your control rather than in a general photo library that gets backed up, indexed, and surfaced in “memories” features alongside your everyday photos.
Watch for breach notifications tied to services you’ve verified with. If you’ve completed age verification on a platform, treat breach notifications from that platform — or any vendor it names — as relevant to you specifically, even if the notification is broad. The Discord case shows that verification vendors are now part of your personal attack surface, even though you never directly chose to interact with them.
Where daftei Fits
The underlying problem with ID-based verification isn’t the verification itself — it’s that the resulting photo of your ID often ends up duplicated across services, retained indefinitely, and managed by vendors with varying security practices, while sitting unprotected in the same camera roll as your everyday photos.
daftei isn’t a verification service and doesn’t change whether a platform requires ID verification. What it offers is a private place to keep a copy of your own identity documents — separate from your general photo library — encrypted in transit with TLS 1.3 and at rest with AES-256, never used to train AI, never sold, and never shown to advertisers. If you need to reference or re-upload an ID document for a verification flow, having it in a dedicated, organized, private store is a meaningfully different posture than having it buried in thousands of camera roll photos that get backed up and indexed by default.
The Bigger Picture
Age-verification laws exist for legitimate reasons, and the goal of keeping younger users away from certain content is one most people support. But the mechanism — uploading a government ID or biometric selfie to an expanding list of platforms and their vendors — creates a new, durable category of personal data exposure that didn’t exist at this scale a few years ago.
The Discord breach is a preview of what happens when that data isn’t handled carefully: tens of thousands of people who did exactly what they were asked, and ended up with their ID photos in the hands of extortionists because of a vendor they’d never heard of. As more platforms adopt similar requirements, the question worth asking isn’t whether to comply — it’s how many copies of your ID are now sitting in how many places, and whether you’d know if one of them was breached.