The instant messaging app Discord has suffered a colossal leak of user data:
The threat actor quotes Discord’s official statement on government-ID image numbers, then taunts and reveals the actual figures. pic.twitter.com/QsR7GEhO5I
— International Cyber Digest (@IntCyberDigest) October 8, 2025
The situation has raised questions around the safety of the ‘Online Safety Act‘.
Discord data leak
According to the BBC, the leak involves the official ID photos of “70,000” people. Users can provide a photograph of themselves holding their ID to confirm their age with Discord, which they do via a third party. According to Discord, it was one of these third party providers who experienced the breach.
Rumours online suggest there may be more leaks to come, although these same sources acknowledge the hackers may be lying to strengthen their position.
The No to Digital ID group shared the following message, featuring numbers which are far higher than the BBC report:
The Discord data breach ONLY happened because Discord implemented the Online Safety Act.
“
– 1.5 TB of data – Over 2 million government ID photos – Threat actor publishes some user data due to Discord’s inaction
Sample of a user…
— No to Digital ID (@NoToDigitalID) October 9, 2025
According to Discord itself, the higher number was shared by the hackers as part of their attempt to extort money. As for the claim that Discord was implementing checks due to the Online Safety Act, the BBC reported in April:
Discord is testing face scanning to verify some users’ ages in the UK and Australia.
The social platform, which says it has over 200 million monthly users around the world, was initially used by gamers but now has communities on a wide range of topics including pornography.
The UK’s online safety laws mean platforms with adult content will need to have “robust” age verification in place by July.
Reporting on the Online Safety Act, Steve Topple wrote the following for the Canary in July:
While the Online Safety Act was sold as a child‑safety milestone, critics argue it’s structurally incapable of delivering that outcome. Campaigners from organisations including Barnardo’s, the Molly Rose Foundation and CARE UK warn that loopholes around algorithmic recommendations, autoplay, live‑streaming, and age verification mean the legislation “will not bring about the changes that children need and deserve”. Rather than curtail harmful exposure, the law risks becoming symbolic rather than effective.
Since enforcement began on 25 July, age verification—via ID scans, facial estimation, or mobile verification—has triggered over five million age checks per day, mostly on porn sites. But this in turn has driven a rapid surge in VPN downloads as users seek to bypass access controls, shifting minors toward less‑regulated parts of the internet and raising their exposure to greater harms rather than reducing it.
Byline Times, meanwhile, carried the following comments from James Baker (programme manager at Platform Power) in July:
Thanks to the Online Safety Act, people in Britain are being compelled to use unregulated age verification tools in order to access content online.
Many of these providers are based outside of the UK and have questionable privacy policies. But users don’t have a choice if they want to have full access to social media sites such as X, Reddit, and Bluesky, or to use dating apps like Grindr.
The risks from handing over sensitive data are real and people are understandably worried about what could happen. The government needs to take these privacy concerns seriously by regulating the age verification industry and ensuring that providers have high standards of privacy and security. But they also need to limit the scope of the Act so that people aren’t forced to risk their privacy whenever they go online.
Featured image via Cyferd (license details)
By Willem Moore
From Canary via this RSS feed
You must log in or # to comment.