TL;DR: Discord announced on February 9, 2026, that starting in early March, every account (all 200 million monthly active users) will be locked into "teen-appropriate" settings by default. Adults who want full platform access must verify their age through facial age estimation (a face scan) or by submitting a government-issued ID. Unverified users lose access to age-restricted servers and channels, stage speaking, graphic content, and open direct messaging. Discord says video selfies stay on your device and submitted IDs are "deleted quickly." But in October 2025, hackers stole at least 70,000 government ID photos from Discord's third-party verification vendor, 5CA. The attackers claim the real number is 2.1 million. Discord is now asking you to trust the same type of system that already failed.

What's Actually Happening

On February 9, Discord rolled out what it calls "teen-by-default settings globally." Strip the corporate language and here's what it means: your Discord account is about to be treated like a child's account unless you prove otherwise.

Starting in early March 2026, every Discord user worldwide, new and existing, gets the following restrictions applied automatically:

  • Age-restricted servers and channels: Blocked. You'll see a black screen where the content used to be, even if you were a previous member.
  • Stage speaking: Banned. You can listen but not talk.
  • Graphic content: Blurred and hidden.
  • Direct messages: Filtered. Messages from people you don't know get routed to a separate inbox.
  • Friend request warnings: Pop-ups for requests from "unfamiliar users."

To undo any of this, you need to pass age verification. Discord gives you two options:

  1. Facial age estimation: You record a video selfie. Discord's system analyzes your face to estimate your age.
  2. Government ID: You upload a photo of your passport, driver's license, or national ID card to a third-party vendor.

That's it. Face scan or papers. Pick one.

The Part Discord Hopes You Forgot

On October 3, 2025, Discord disclosed that hackers had compromised 5CA, its third-party customer service and support vendor. The attackers had access for approximately 58 hours starting September 20, 2025.

What they stole:

  • At least 70,000 government ID photos: passports, driver's licenses, the same kind of documents Discord is now asking everyone to submit
  • Names, Discord usernames, and email addresses
  • Support conversation transcripts
  • Payment metadata including last four digits of credit cards
  • IP addresses from support interactions

The attackers demanded $5 million in ransom, later reduced to $3.5 million. They claimed to possess 2.1 million images total. Discord called that number inflated. 5CA denied any breach occurred on its end.

Nobody got fired. Nobody got fined. And four months later, Discord is scaling up the exact same type of data collection to all 200 million users.

Discord says it "switched providers" after the breach. It hasn't named the new vendor.

"Your Data Stays on Your Device" (Mostly)

Discord's announcement makes careful privacy promises. Let's break them down.

Claim: "Video selfies for facial age estimation never leave a user's device."

This is the strongest claim and, if true, the most privacy-respecting option. On-device processing means your face data isn't transmitted to Discord's servers or its vendors. But "facial age estimation" still means your phone's camera is analyzing your facial features to guess your age. And the announcement doesn't specify which vendor's technology powers this. Similar systems from Yoti (used by Meta, Roblox, and others) process facial geometry to estimate age. Even if the video stays local, the estimated age result still goes to Discord.

Claim: "Identity documents submitted to vendor partners are deleted quickly, in most cases, immediately after age confirmation."

Note the qualifiers. "In most cases." "Quickly." Not "always" and not "immediately." There's wiggle room in that language, and wiggle room is where breaches happen. We know this because the October 2025 breach happened at a vendor that was supposed to be handling this data securely.

Claim: "Age verification status remains private (invisible to other users)."

Other users won't see if you're verified. But Discord knows. And now Discord maintains a database of who has submitted biometric data or government IDs: a database that becomes a target the moment it exists.

The Background Model Nobody's Talking About

Buried in the announcement is a third verification method: Discord's "age inference model." This is a background system that analyzes your account behavior (gaming habits, activity patterns, app usage times) to guess whether you're an adult without asking you to verify.

Think about what that means. Discord is building a behavioral surveillance system that profiles how you use the app and makes age determinations based on your patterns. If the algorithm decides you act like a teenager, you get locked down. If it decides you act like an adult, you might get a pass.

Savannah Badalich, Discord's global head of product policy, framed it as convenience: the system "runs in the background to help determine whether an account belongs to an adult, without always requiring users to verify their age."

Convenient for Discord, maybe. But behavioral profiling to determine access rights is surveillance infrastructure, regardless of the stated purpose. Today it classifies "teen" vs. "adult." Tomorrow it could classify anything else.

The Age Verification Pipeline

Discord isn't doing this in a vacuum. Governments worldwide are pushing age verification mandates, and platforms are racing to comply:

  • UK: New age verification law forced Discord to start collecting IDs in the first place, which led directly to the October 2025 breach
  • Australia: Passed legislation banning social media for under-16s, requiring age verification
  • Roblox: Now requires facial verification for access to certain features
  • YouTube: Launched facial age estimation in the U.S.
  • Meta: Testing age verification across Instagram using similar facial estimation

The pattern is clear: governments mandate age checks, platforms collect biometric data to comply, that data becomes a breach target, breaches happen, and then the platforms collect even more data.

As Proton noted after the October Discord breach: "Age verification laws should not be enforced until genuinely secure, decentralized, open standard solutions are developed and made widely available." But laws are moving faster than the technology to implement them safely.

What You Can Do

Choose the Face Scan Over ID Upload

If you're going to verify, the facial age estimation option is less risky. Discord claims video selfies stay on your device. A government ID upload goes to a third-party vendor you can't vet, and the last vendor got breached. Neither option is great, but one creates less attack surface.

Evaluate Whether You Need Full Access

Most Discord servers don't require age-gated access. If you primarily use Discord for gaming communities, project coordination, or group chats, the "teen-appropriate" settings might not meaningfully restrict your experience. Check what you'd actually lose before handing over biometric data.

Consider Alternatives

If mandatory biometric verification is a dealbreaker, alternatives exist. Signal for private messaging. Matrix/Element for community servers with end-to-end encryption and no age verification requirements. Mumble for voice chat. None of them are drop-in Discord replacements, but none of them will scan your face either.

Appeal If You're Wrongly Classified

Discord says users can contest age classifications through "My Account" settings. If you're an adult and the background inference model flags you as a teen, you can appeal, but the appeal process itself requires age verification. You can't escape the face scan forever.

The Real Cost of "Protecting Kids"

Nobody wants children exposed to harmful content. That's not the argument here. The argument is about the mechanism, and whether building a global biometric surveillance system is a proportionate response to the problem.

Discord had 200 million monthly active users as of this announcement. Every single one will now face a choice: hand over biometric data, hand over government ID, or accept restricted access. That's not a safety feature. That's a compliance apparatus.

The October 2025 breach proved the system's weakest link isn't the technology: it's the vendors, the contractors, and the humans with access to the data. Discord switched vendors. It hasn't explained what changed about the security architecture itself. It hasn't named the new vendor. It hasn't offered independent audits.

What it has done is ask you to trust it again. With your face this time.

Discord is recruiting a "Teen Council" of 10-12 teenagers, ages 13-17, to provide feedback on its safety policies. Applications are open through May 1, 2026. The company that just asked 200 million adults to scan their faces is consulting a dozen teenagers about whether it's a good idea.

That tells you everything you need to know about whose input actually matters here.

References

  1. Discord Press Release - Discord Launches Teen-by-Default Settings Globally (February 9, 2026)
  2. TechCrunch - Discord to Roll Out Age Verification Next Month for Full Access (February 9, 2026)
  3. 9to5Mac - Discord Will Soon Require Face Scans or ID for All Users (February 9, 2026)
  4. NBC News - 70,000 Government ID Photos Exposed in Discord User Hack (October 2025)
  5. Proton - Discord ID Data Breach: Why the World Isn't Ready for Age Verification Laws (2025)
  6. Discord - Update on a Security Incident Involving Third-Party Customer Service (October 2025)