Age verification checks on websites are becoming a prime target for hackers, creating a significant privacy and security risk for users. The methods used to verify age – including AI analysis of photos, requests for photo ID (driving licenses, passports), and credit card checks – generate a wealth of personal data that is increasingly vulnerable to breaches. Recent incidents underscore the severity of the problem, raising questions about the effectiveness of current regulations and enforcement.
The Rising Tide of Breaches
In October 2025, Discord, a popular social media platform, suffered a hack that potentially exposed the photo IDs of 70,000 users. The breach occurred through a third-party service provider, highlighting a systemic weakness in how age verification is implemented. Similarly, in July 2025, the Tea app, which requires users to submit photo ID and selfies, was also hacked, revealing sensitive user data. These incidents demonstrate that even platforms complying with new legislation, such as the UK’s Online Safety Act, are not immune to breaches.
Regulatory Compliance vs. Real-World Security
The push for stricter age verification is driven by legislation like the UK’s Online Safety Act, France’s digital space law, and the EU’s Digital Services Act. These laws deem self-declared age checks insufficient and mandate more robust methods, such as photo ID matching or credit card verification. However, the reality is that many platforms rely on third-party providers to handle this data, creating a weak link in the security chain. Discord’s claim that it does not permanently store identity documents is undermined by the fact that its third-party provider was breached, exposing user data regardless.
The Consequences of Data Leaks
The potential harm from leaked selfies and photo IDs is substantial. Users face identity theft, fraud, and increasingly sophisticated cybercrimes enabled by deepfake technology and generative AI. The availability of such personal data amplifies the risk of targeted attacks and malicious manipulation. Moreover, the fact that third-party providers are frequently located outside of strict regulatory jurisdictions (like the EU or UK) makes enforcement of data deletion and security standards nearly impossible.
The Need for Stricter Oversight
Despite guidance from regulators like the UK’s Information Commissioner’s Office and Ofcom, the Tea and Discord breaches prove that current measures are ineffective at preventing data retention or enforcing deletion. The UK’s Department of Science, Innovation and Technology has attempted to address these concerns, reiterating GDPR rules that require data minimization. However, the reality is that platforms are often incentivized to retain data for commercial purposes, even if it violates privacy regulations.
The Path Forward
To safeguard user privacy, stricter oversight and enforcement are essential. Regulators must move beyond mere guidance and impose binding requirements on platforms and third-party providers. This includes mandatory data deletion policies, regular security audits, and severe penalties for non-compliance. The current approach, which relies on voluntary self-regulation, has proven inadequate. Without genuine enforcement powers, age verification online will continue to be a goldmine for data hackers
