Credit: Pixabay/CC0 Public Domain
A variety of websites now have processes designed to verify the ages of their users. These checks are carried out in several ways. For instance, AI can be used to analyze whether a photo of the person looks old enough for the age threshold on a website.
Asking for photo ID, such as a scan of a person’s driving license or passport, is another method, along with asking for a verified credit card.
However, the amount of personal data involved in completing age verification comprises a veritable treasure trove for hackers.
Recent inciden…
Credit: Pixabay/CC0 Public Domain
A variety of websites now have processes designed to verify the ages of their users. These checks are carried out in several ways. For instance, AI can be used to analyze whether a photo of the person looks old enough for the age threshold on a website.
Asking for photo ID, such as a scan of a person’s driving license or passport, is another method, along with asking for a verified credit card.
However, the amount of personal data involved in completing age verification comprises a veritable treasure trove for hackers.
Recent incidents have further highlighted the privacy and security concerns around age verification. In October 2025, Discord, a social media and chat platform popular among gamers was hacked, with an unspecified amount of data extracted.
However, the company said it had identified 70,000 users globally who potentially had their photo IDs exposed to the hackers. Discord said the data was accessed through a third-party service provider, although it remains unclear exactly how the breach occurred.
Age verification checks for the UK were brought in by Discord in order to comply with the Online Safety Act. The act required that websites allowing pornography and harmful content introduce age checks by July 25 2025.
In July 2025, the Tea app, which allows women to anonymously share information about the men they date for safety purposes, was also hacked. The app requires a photo selfie and photo ID in order to register. The breach reportedly revealed these photos along with content and messages.
Grave consequences
These breaches highlight issues of compliance with website privacy policies, security practices and general data protection regulations (GDPR) legislation.
When Discord brought in age verification, its support website said it did “not permanently store personal identity documents or your video selfies.” It added, “Images of your identity documents and ID match selfies are deleted directly after your age group is confirmed, and the video selfie used for facial age estimation never leaves your device.”
The consequences of such breaches can be grave. Leaked images of selfies and photo IDs can lead to users facing a range of harms, such as identity theft and fraud. The kind of data that’s hacked also lends itself to particularly sophisticated forms of these crimes, particularly when you consider the availability of deepfake technology and generative AI tools.
In fact, third-party providers have represented a consistent vulnerability to be relentlessly exploited by cybercriminals, as seen in recent breaches of the UK Ministry of Defence, the Co-op supermarket and M&S to name but a few.
The proliferation of age verification checks in recent years is partly a response to new legislation, such as France’s Security and Regulation of the Digital Space law, the European Commission’s Digital Services Act and the Online Safety Acts in the UK and Australia. These all deem checks where users self-declare their age as unfit for purpose. Instead, they require websites to use more effective methods, such as photo ID matching, or credit card checks.
In a recent press release, the UK’s Department of Science, Innovation and Technology attempted to address the cybersecurity and privacy concerns arising from such checks. The department’s guidance says that any measures implemented by platforms to confirm a user’s age must be done “without collecting or storing personal data, unless absolutely necessary.”
This reiterates rules from the EU’s GDPR legislation. Further guidance is offered by the UK Information Commissioner’s Office and the regulator, Ofcom.
However, the Tea and Discord breaches highlight regulators’ inability to prevent data retention or enforce data deletion in practice. This is particularly relevant when the third parties are located outside of the UK.
The incidents show that the implementation and use of age verification requires genuine review; further regulation of data handling with enforcement powers—beyond mere guidance. This is a necessity to safeguard privacy, especially when third-party companies are involved.
This article is republished from The Conversation under a Creative Commons license. Read the original article.
Citation: Online age checking is creating a treasure trove of data for hackers (2025, November 11) retrieved 11 November 2025 from https://techxplore.com/news/2025-11-online-age-treasure-trove-hackers.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.