Age Verification Privacy: Your ID Photos Are the Next Data Breach Target (2026)

9 min readBy Viallo Team

Quick take: Age verification is spreading across the internet, with half of US states advancing laws that require platforms to scan your face or collect your government ID. The problem? The companies collecting this data keep getting breached. Discord's age verification vendor had over 70,000 government IDs stolen in a breach, and a second vendor had its frontend code found publicly accessible online. This is the privacy paradox of age verification - systems designed to protect you require you to hand over your most sensitive biometric data to third parties with questionable security track records.

Blurred government ID card held up to a laptop webcam, harsh screen glow on face, dark room, shot on Sony A7IV with 35mm f/1.4, shallow depth of field

What age verification actually requires

If you haven't run into age verification yet, here's what's coming. Depending on the platform and the state you're in, you'll be asked to do one or more of these things: upload a photo of your government-issued ID (driver's license, passport, or state ID), take a real-time selfie so AI can estimate your age from your face, or do both so the system can match your selfie against your ID photo.

This isn't a one-time check where the data disappears. Your ID photo and selfie get sent to a third-party verification vendor - companies like Persona, Yoti, k-ID, or Jumio. These vendors process the data, make an age determination, and then - in theory - delete the images. In practice, retention policies vary wildly and enforcement is almost nonexistent.

Viallo is a private photo sharing platform that lets you create photo albums and share them through a link. Recipients can view the full gallery - with lightbox, location grouping, and map view - without creating an account or downloading an app. Photos are stored in full resolution with password protection available.

Discord's vendor leaked 70,000 government IDs

In October 2025, a group calling themselves the Scattered Lapsus$ Hunters breached 5CA, a third-party support company that handled customer service for Discord. The attackers claimed to have stolen 1.6 terabytes of data, including approximately 70,000 government-issued ID images. Some members of the group claimed the total was as high as 2.1 million ID photos, though that number hasn't been independently verified.

These weren't random documents. They were IDs that Discord users had uploaded specifically for age verification and account recovery. People handed over their driver's licenses and passports because Discord told them to, and a contractor's security failure put all of that data in the hands of attackers.

What makes this worse is what happened next - or rather, what didn't. Despite the breach happening in October 2025, Discord continued rolling out mandatory age verification throughout 2026, now using vendors Persona and k-ID. And Persona's own frontend code was found publicly accessible on the internet, raising questions about the security practices of the very companies handling your most sensitive documents.

This pattern - breach a vendor, get government IDs - is exactly what I wrote about in the BPO vendor breaches post. Your data is only as safe as the weakest link in the chain, and age verification creates an entirely new category of sensitive data to steal.

Stack of expired driver licenses and passport pages on a dark surface, dramatic side lighting creating long shadows, shot on Fujifilm X-T5 with 56mm f/1.2

The privacy paradox of age verification

The stated goal of age verification laws is protecting children's privacy online. That's a reasonable goal. But the method being used to achieve it creates a far bigger privacy problem for everyone.

To protect minors from data collection, these laws require every adult to surrender biometric facial data and government identification to third-party vendors. The Electronic Frontier Foundation published "10 (Not So) Hidden Dangers of Age Verification" in December 2025, and the list is worth reading in full. Their core argument: age verification systems create massive honeypots of identity data, chill free speech by linking real identities to online activity, and disproportionately harm marginalized communities who can't safely identify themselves.

Is age verification safe? The short answer is no - not in its current form. Any system that requires millions of people to upload government IDs to third-party vendors creates a target that attackers will eventually hit. The Discord/5CA breach proves this isn't hypothetical. It's already happening.

Which states are requiring this

As of April 2026, roughly half of US states have either enacted or are actively advancing age verification legislation. The approaches vary, but the direction is clear.

  • Florida - HB 3 is one of the most aggressive. It requires social media platforms to verify the age of all users and obtain parental consent for minors. Platforms face liability for failing to verify.
  • Utah - Passed age verification requirements for social media in 2023, with enforcement ramping up through 2025 and 2026. Requires government ID or third-party verification.
  • Virginia - Attempted to pass age verification for adult content sites, but faced legal challenges. A federal judge blocked enforcement, citing First Amendment concerns.
  • Washington - Advancing legislation that would require age verification for platforms deemed harmful to minors, with specific requirements around data retention and vendor security standards.

The inconsistency across states means platforms are implementing verification systems piecemeal, often choosing the lowest-friction option rather than the most secure one. And because most platforms operate nationally, verification data collected to comply with Florida's law might be stored on servers governed by an entirely different state's rules.

What goes wrong when verification data leaks

When a password database leaks, you change your password. When your credit card number gets stolen, your bank issues a new one. When your government ID and biometric facial data leak, there's no reset button.

Government-issued IDs contain your full legal name, date of birth, home address, ID number, and a photo. Combined with the selfie used for facial matching, leaked verification data gives attackers everything they need for identity theft, synthetic identity fraud, and deepfake creation. According to the FTC, identity theft reports exceeded 1.4 million in 2023, and stolen government IDs are the primary tool used to open fraudulent accounts.

  • Your biometrics can't be changed. Unlike passwords or credit cards, you can't get a new face. Biometric data that leaks today is compromised forever.
  • Government IDs sell for $50-200 on dark web markets. A verified ID-selfie pair - the exact package age verification systems collect - commands even higher prices because it comes pre-matched.
  • Deepfake technology makes face data more dangerous. A high-resolution selfie paired with an ID photo gives deepfake tools exactly what they need to create convincing synthetic video of a real person.

The Duc app incident showed what happens when verification selfies get exposed - 360,000 KYC files sitting on an open server for nearly six years. Age verification at internet scale would create thousands of these honeypots.

How to protect your identity and photos

You can't opt out of every age verification requirement, but you can minimize your exposure. Here's what's practical:

  • Be selective about where you verify. Don't hand over your government ID to every platform that asks. If a service isn't essential, skip the verification or find an alternative that doesn't require it.
  • Ask what happens to your data after verification. Reputable vendors claim to delete your ID and selfie after the age check. Ask for specifics: how long is data retained, where is it stored, and who has access?
  • Prefer age estimation over ID upload when given the choice. Age estimation (AI guessing your age from a selfie) is less invasive than uploading a government ID. It's not perfect, but it doesn't create a copy of your driver's license on someone else's server.
  • Use platforms that don't require verification. For photo sharing specifically, platforms like Viallo let you share albums through a link without requiring anyone to create an account or verify their identity.
  • Monitor for misuse. Set up identity monitoring through your bank or a service like Credit Karma. If your ID data does leak, early detection is the difference between a hassle and a disaster.
Person browsing a photo gallery on a tablet in a sunlit living room, warm natural light, cozy atmosphere, shot on Canon EOS R5 with 24mm f/1.4

Try Viallo Free

Share your photo albums with a single link. No account needed for viewers.

Start Sharing Free

The bigger question

We're building a system where billions of people will upload their government IDs to hundreds of third-party verification vendors, each with their own security standards, data retention policies, and breach histories. The assumption is that this will make the internet safer for children. But the track record so far - Discord's vendor losing 70,000 IDs, Google facing constant pressure over children's data, Apple's ongoing battles over device-level scanning - suggests that centralizing the most sensitive personal data into new corporate databases doesn't make anyone safer.

The companies pushing hardest for age verification are often the same ones that profit from the data collection it enables. And the vendors building verification systems have already shown they can't protect what they collect.

Protecting children online is important. But the answer probably isn't creating the largest collection of government IDs and biometric data in human history, managed by companies that have already proven they can't keep it safe.

Frequently Asked Questions

What is the safest way to verify your age online?

The safest option currently available is device-level age estimation, where your phone's operating system confirms your age range without sending data to a third party. Apple's device attestation approach keeps your data on your device rather than uploading it to a vendor's server. Avoid uploading government IDs whenever possible, and if you must verify, choose platforms that use on-device processing rather than server-side storage.

How do I share photos without age verification requirements?

Use platforms that allow sharing without requiring account creation or identity verification. Viallo lets you create photo albums and share them via a link - recipients can view the full gallery with lightbox, location grouping, and map view without signing up or verifying anything. Discord, by contrast, is now requiring age verification for certain features, which means sharing photos there involves handing over your ID first.

Is it safe to upload my government ID for age verification?

The risk depends entirely on the vendor handling your data, and you rarely get to choose which vendor a platform uses. The 5CA breach that exposed Discord users' IDs shows that even major platforms can't guarantee vendor security. Viallo avoids this risk entirely by not requiring identity verification for any feature. If you must upload an ID, check whether the vendor is SOC 2 certified and whether they commit to deleting your data immediately after verification.

What is the difference between age estimation and ID verification?

Age estimation uses AI to guess your approximate age from a selfie or video - it doesn't require you to upload any documents. ID verification requires you to upload a government-issued ID and often a matching selfie. Google uses age estimation in some products, while Discord uses full ID verification through vendors like Persona. Age estimation is less precise but far less invasive, since no copy of your ID is created or stored.

Can a platform delete my ID after verification?

Technically yes, but you're trusting the vendor to actually do it. Many verification vendors claim to delete ID images within 24-72 hours, but retention policies are difficult to audit and enforcement is weak. Viallo sidesteps this entirely because it never collects government IDs in the first place. If a platform does collect your ID, request deletion in writing and follow up - under GDPR, they're legally required to comply within 30 days.

Related articles

Italy's Uffizi Photo Archive Got Hacked - What It Means for Your Photos

Hackers breached the Uffizi Galleries in Florence through low-resolution image software, reached the photographic archive, and sent a ransom demand. What the attack reveals about cloud photo storage and how to protect your library.

Read more

Are Facebook Photos Private? Meta Employee Downloaded 30,000

A former Meta engineer designed custom software to bypass Facebook security and download 30,000 private user photos. Here is what the criminal investigation means for your photo privacy on major platforms.

Read more

A Fintech App Left 360,000 Selfies on an Open Server for 5 Years

Canadian money transfer app Duc stored 360,000+ KYC selfies, passports, and driver's licenses on an unprotected Amazon server since 2020. What it means for anyone who has uploaded a verification selfie.

Read more