Discord ID Leak: What Could Have Been Prevented But Wasn’t

If you follow cybersecurity news, you likely already heard about the Discord ID leak that occurred in September 2025. But now that some time has passed, perhaps it’s worth taking a look back at it to review the whole situation in full.

The incident in question happened after hackers breached 5CA, a third-party customer service provider used by Discord. The company stated that approximately 70,000 users had government ID photos, along with other information, exposed. However, according to the ransomware group, the number of age-verification tickets in their possession is actually closer to 521,000, which comes to a total of nearly 2.2 million photos or roughly 1.5TB of user data.

How The Discord ID Leak Came to Be

The part about this whole ordeal that I find the most ironic is that this whole mess could’ve easily been avoided had Discord not cut corners to save a few dollars. 

Ever since the idea of mandatory age verification for platforms containing adult content was first proposed with the UK’s Digital Economy Act all the way back in 2017, privacy advocates have been pretty much screaming about all the possible risks that such a law would bring. There was no shortage of people concerned about how storing such sensitive information could easily lead to leaks and exposures. 

Now, in 2025, with the UK, Australia, several EU countries, and half of the US states having already implemented such laws despite better judgment, various platforms, including Discord, were forced to implement age verification systems. Yet, it’s how they chose to deal with this issue that differed.

Some of the affected companies chose to do everything in their power to ensure that no unfortunate incidents occurred or downright retreated from the regions in question, banning access altogether. Others, like Discord, were trying to be “smart” with it. We all know what happened next.

The Real Problem With The Discord ID Leak

Despite the supposedly good intentions behind them, age verification laws are very imperfect, and generally, they are the wrong method to effectively protect minors online. They not only don’t stop the underage users from accessing restricted websites, as finding a workaround is all too easy, but they also endanger the sensitive data of legitimate users, as incidents like the Discord ID leak clearly prove.

But the biggest issue in this exact situation is not any of the laws but the choices some companies, like Discord, make when complying with the new requirements and how they handle the situation when things inevitably fall apart due to their aforementioned choices.

It’s bad enough when it’s just logins and passwords that get leaked, but in this case, we’re talking passports, ID cards, and driver’s licenses – the kind of documents that are of the highest importance and can’t just be reset. Yet, not only did Discord not own up to their mistake, shifting the blame on 5CA, but it also flat out refused to pay hackers their demanded $3.5 million ransom, effectively leaving its users to pay the price with their personal data instead.

Yes, technically, it was 5CA that was collecting the data and inevitably leaked it, whether it was due to the hacking or due to the human error, as claimed by 5CA itself. But it’s definitely not like Discord didn’t know the risks it was taking when it entrusted its users’ sensitive data to a customer support outsourcing firm, which never should’ve been handling such info in the first place.

Now, deception like this is already inexcusable, but perhaps you could find some justification if it was a small startup that could hardly break even as it was. But this is a multibillion-dollar company we’re talking about. They could’ve easily implemented the highest-tier ID verification technology, which checks IDs locally on your device and only sends the confirmation to the server, and their pockets would barely feel any lighter. But they didn’t, and they’re unlikely to do it now either.

What Discord ID Leak Taught Us

Governments dash out age verification laws all too carelessly, not minding the consequences that might come with doing so without having it all fully worked out. It often feels that for the people making these decisions, it’s more about exerting power than creating laws that would be useful or work as intended.

At the same time, most of the big companies have only one thing on their minds – money. As this incident shows, rarely do they care what laws like these try to achieve or how to make the required changes with the user’s welfare in mind. Instead, they’ll choose the easiest path that costs them the least when complying with the requirements they were presented with and gambling with the possible risks that come with it.

The reality is that our digital security and privacy are our own responsibility. Age verification laws are here, whether we like them or not, and if I were to guess, this is just the start. So be mindful whenever you’re online – use a reliable VPN where you can, and check every corner before you upload your ID where you can’t. Protect yourself, because chances are, no one else will, even if they say otherwise.