Communication platform Discord is under fire after its identity verification software, Persona Identities, was found to have front-end code accessible on the open internet and on government servers.
Nearly 2,500 accessible files were found sitting on a U.S. government-authorized endpoint, researchers pointed out on X. The files showed Persona conducted facial recognition checks against watchlists and screened users against lists of politically exposed persons.
In addition to verifying a user’s age, researchers found Persona performs 269 distinct verification checks, including screening for “adverse media” across 14 different categories such as terrorism and espionage. It then assigns risk and similarity scores to user information.
And the information was openly available. “We didn’t even have to write or perform a single exploit, the entire architecture was just on the doorstep,” wrote the researchers in their blog, adding they found 53 megabytes of data on a Federal Risk and Authorization Management Program (FedRAMP) government endpoint that also “tags reports with codenames from active intelligence programs.”
Discord has since announced it is cutting ties with Persona. The AI software, partially funded by Palantir cofounder Peter Thiel’s venture firm Founders Fund, continues to provide age verification services for OpenAI, Lime, and Roblox.
Both Persona and Discord confirmed to Fortune their partnership lasted for less than a month and has since dissolved. According to Discord, only a small number of users were part of this test, in which any information submitted could be stored for up to seven days before it would be deleted.
Discord’s safety overhaul missteps
This isn’t the first time a third-party vendor has come under scrutiny for mishandling sensitive user information for Discord, which is popular among gamers, students, influencers, tech professionals, and other communities.
Last year, hackers accessed the government IDs of more than 70,000 who had complied with its age-verification requirements.
In a statement from Oct. 9, 2025, the company said the attack was “not a breach of Discord, but rather a breach of a third party service provider, 5CA.” Discord stated the breach affected only users who communicated with the company’s Customer Support or Trust and Safety teams.
... continue reading