News, Privacy

[updated] Age verification vendor Persona left frontend exposed, researchers say

by Pieter Arntz | February 20, 2026
Age verification checks

Update March 13, 2026

Persona reached out to us to clarify that:

  • The exposed testing environment was isolated from production systems.
  • No personal data was exposed.
  • No Persona customer uses all the possible 269 checks.
  • Persona does not work with any Federal agency.
  • Persona only processes data and their customers control Persona’s handling and deletion of data.

You can read Persona’s explanation of the issue and their response in this post-incident review

What happened?

Researchers investigating Discord’s age-verification checks say they discovered an exposed frontend belonging to Persona, the identity-verification vendor used by Discord. It revealed a far more expansive surveillance and financial intelligence stack than a simple “teen safety” tool.

A short while ago we reported that Discord will limit profiles to teen-appropriate mode until you verify your age. That means anyone would wants to continue using Discord as before would have to let it scan their face—and the internet was far from happy.

To analyze these scans, Discord uses biometric identity verification start-up Persona Identities, Inc. a venture that offers Know Your Customer (KYC) and Anti-Money Laundering (AML) solutions that rely on biometric identity checks to estimate a user’s age.

To demonstrate the privacy implications, researchers took a closer look and found a publicly exposed Persona frontend on a US government–authorized server, with 2,456 accessible files.

You read that right. According to researcher “Celeste” the exposed code, which has now been removed, sat at a US government-authorized endpoint that appears to have been isolated from its regular work environment. However, Persona clarified later in a blog post that “this entire domain has never had any federal customers and has zero customer data.”

In those files, the researchers found details about the extensive surveillance Persona software can perform. Beyond checking their age, the software can perform 269 distinct verification checks, run facial recognition against watchlists and politically exposed persons, screen “adverse media” across 14 categories (including terrorism and espionage), and assign risk and similarity scores.

Persona collects—and can retain for up to three years—IP addresses, browser and device fingerprints, government ID numbers, phone numbers, names, faces, plus a battery of “selfie” analytics like suspicious-entity detection, pose repeat detection, and age inconsistency checks. After “Celeste” published their findings online, Persona CEO Rick Song said on the social media platform X: “We verify your identity securely, retain it for only as long as necessary on behalf of the customer, and then delete it as soon as we can.”

See if your personal data has been exposed.

At a time when age verification is very much a hot topic, this is not the kind of news to persuade privacy advocates that age verification is in our best interest. Sending data obtained during age verification checks to data brokers and foreign governments—reportedly Persona was tested by Discord in the UK—will not install the level of trust needed for users to feel comfortable submitting to this kind of scrutiny.

This comes amid broader questions about whether age verification is actually doing what it’s supposed to do. Euronews looked at the effect of Australia’s world-leading ban on social media for under-16s. Australia’s new rules have only been in force for six weeks, but while the country’s internet regulator says it has shut down about 4.7 million accounts held by under‑16s on platforms like TikTok, Instagram, Snapchat, YouTube, X, Twitch, Reddit, and Threads, children and parents describe a very different reality. Interviews with teenagers, parents and researchers indicate that many children are still accessing banned apps through simple workarounds.

According to The Rage,  Discord has stated it will not continue to use Persona for age verification. However, other platforms reported to use Persona include:

  • Roblox: Uses Persona’s facial age estimation and ID verification as the core of its “age checks to chat” system.
  • OpenAI / ChatGPT: OpenAI’s help center explains that if you need to verify being 18+, “Persona is a trusted third-party company we use to help verify age,” and that Persona may ask for a live selfie and/or government ID.
  • Lime: The ride-sharing service deploys custom age verification flows with Persona to meet each region’s unique requirements.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

About the author

Pieter Arntz

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

LATEST ARTICLES

News
front panel of a router

Russian hacking group targets home and small office routers to spy on users

April 8, 2026

The FBI, NCSC, and Microsoft warn of an ongoing Russian campaign hijacking DNS settings on home and small office routers to spy on users.

News
A line of different cars in a parking lot

Traffic violation scams swap links for QR codes to steal your card details

April 7, 2026

Phishers are using QR codes on official-looking notices to level up their traffic and toll scams.

News
week in security

A week in security (March 30 – April 5)

April 6, 2026

A list of topics we covered in the week of March 30 to April 5 of 2026

Contributors icon

Contributors

Threat Center icon

Threat Center

Podcasts icon

Podcast

Glossary icon

Glossary

Scams icon

Scams