Popular chat platform Discord is once again under the spotlight after security researchers uncovered publicly accessible files connected to Persona, an identity verification firm the company briefly used to test age-checking features. The findings have reignited concerns about how online platforms manage user data — especially when that responsibility is shared with outside vendors.
The discovery did not involve a traditional hack. Instead, researchers reported that thousands of files related to Persona’s verification system were accessible online without the need for specialized tools or exploits. The ease of access has fueled debate about transparency, oversight, and the complexity of modern identity verification systems.
Thousands of Files Found on a Government-Authorized Endpoint
According to researchers who published their findings online, nearly 2,500 files tied to Persona’s infrastructure were accessible through an endpoint associated with the U.S. government’s Federal Risk and Authorization Management Program, commonly known as Federal Risk and Authorization Management Program (FedRAMP). In total, they said roughly 53 megabytes of data were available for viewing.
The exposed materials reportedly included uncompressed front-end code — essentially the visible part of a web application that runs in users’ browsers. By examining this code, researchers said they could see how Persona’s system was structured and what types of checks it was capable of performing.
Among the features outlined in the files were facial recognition comparisons against watchlists, screenings against databases of politically exposed persons (PEPs), and scans for negative or “adverse media” across 14 categories, including terrorism and espionage. The system was also described as capable of performing up to 269 distinct verification checks, assigning risk scores and similarity scores based on user data.
While these kinds of checks are common in banking, financial compliance, and workforce background screening, critics questioned whether such expansive capabilities were necessary for something as routine as confirming a user’s age on a social platform.
Researchers also pointed out that the endpoint where the files were found appeared to include references that suggested a sensitive operational environment. That detail further amplified concerns, even though no direct evidence indicated misuse of personal data.
A Brief Trial Between Discord and Persona
Both Persona and Discord confirmed that their partnership was short-lived, lasting less than a month. The collaboration was part of a limited trial aimed at strengthening Discord’s age verification tools as the company faces increasing regulatory and public pressure to improve online safety for minors.
Discord said only a small group of users participated in the test. Information submitted during the trial could be stored for up to seven days before deletion.
Persona, which counts companies such as OpenAI, Lime, and Roblox among its clients, provides a range of identity services. These include age checks, know-your-customer (KYC) verification, and anti-money laundering (AML) screening. The company is backed by Founders Fund, a venture firm co-founded by Peter Thiel.
Lingering Concerns Over Third-Party Data Handling
The latest controversy comes on the heels of an earlier incident involving a separate vendor. In October 2025, Discord disclosed that hackers had accessed identification documents belonging to more than 70,000 users. Those users had submitted government IDs as part of a previous age-verification process.
Discord clarified at the time that its own systems had not been breached. Instead, the compromise occurred at 5CA, a third-party provider supporting the company’s customer service and trust and safety operations. Only users who had interacted with those teams were affected, and impacted individuals were notified.
Even so, the episode left many users uneasy about how much personal information was being shared with external partners and how securely it was being stored.
Teen Safety Defaults Trigger Backlash
Earlier this month, Discord introduced a policy shift that would default all accounts to teen-safety settings globally. Users seeking access to certain age-restricted servers or features would need to verify their age, with Persona initially named as a verification partner.
The announcement was met with swift criticism. Some users pointed to the 2025 data breach and questioned whether expanding age verification requirements would expose more people to privacy risks.
Within a day, Discord clarified that age verification would remain optional except for those attempting to access restricted spaces. The company said it could estimate the age of most users based on existing account data. For users required to verify, options included uploading a government ID or submitting a video selfie.
Discord emphasized that facial scans would remain on the user’s device and that the company would receive only confirmation of age — not identifying details. It also stated that ID documents processed by third-party vendors would be deleted quickly, often immediately after verification.
However, archived versions of the company’s FAQ page indicated that in some experimental cases — particularly involving UK users — submitted information could be stored for up to seven days before deletion. That discrepancy added to confusion over how long data might actually be retained.
Discord’s Chief Technology Officer, Stanislav Vishnevskiy, acknowledged publicly that the rollout was expected to generate controversy but maintained that stronger verification tools are essential for user safety.
Persona Pushes Back
Persona’s CEO and co-founder, Rick Song, rejected the suggestion that the exposed files represented a serious vulnerability. He described them as uncompressed front-end resources that are normally delivered to users’ browsers during standard operations.
Song conceded that leaving such files openly accessible is not ideal but argued that their presence did not expose sensitive personal data. He said the company did not classify the issue as a major security flaw.
He also stated that any data processed during the Discord trial was redacted immediately after verification and not retained beyond the stated window. Persona, he added, does not link facial biometrics to financial records or law enforcement databases.
Addressing speculation about ties to government agencies, Song said Persona has no relationship with Immigration and Customs Enforcement (ICE), Palantir, or intelligence agencies. The company is pursuing FedRAMP authorization, but he said that effort is focused on workforce identity solutions rather than social media age checks.
Comments are closed.